360 Responds to Security Lobster Private Key Leak: Caused by Business Error, Certificate Limited to Local Use Has Been Revoked

Odaily According to monitoring by 1M AI News, the 360 security team has responded to the Security Lobster (OpenClaw) wildcard certificate and private key leak incident, stating it was caused by a business error where an internal domain certificate was packaged into the installation package. The involved certificate *.myclaw.360.cn actually resolves to the local loopback address 127.0.0.1, is only used on the user's local machine, and does not provide any external services.

After receiving reports from multiple security researchers, 360 has applied to revoke the certificate. The certificate is now invalid and can no longer be used for any legitimate HTTPS encrypted communication. Ordinary users are not affected. The theoretical risk of man-in-the-middle attacks during the leak period still exists, but as the corresponding service for the certificate only runs in the local environment, the actual risk is relatively limited.