RSS Alerts

Share

More services

Related Links

Related Stories

  • Mozilla increases reward for security bugs
    Mozilla – the organization responsible for the open-source Firefox web browser – has upped the ante for the discovery of security bugs, as it will begin paying security researchers $3000 for each reported flaw with its products.
  • Firefox browser gets nine bug fixes and crash protection
    Mozilla has patched eight flaws, including five critical vulnerabilities in versions 3.5 and 3.6 of the Firefox browser.
  • Mozilla issues early update to patch Firefox flaw
    A security researcher has uncovered a vulnerability in the latest version of the Firefox browser, prompting Mozilla to issue an update ahead of schedule.
  • Mozilla backtracks on add-on malware claim
    Mozilla has apologized for its existing apology concerning a malware-infected add-on for Firefox. Last week, the company reported that a second experimental add-on for the browser had been infected by malware. After working with McAfee, it now says that the detection was a false positive.
  • Firefox pulls two infected add-ons from site
    Mozilla has had to pull two experimental add-ons for the Firefox browser from its website. The add-ons, which somehow made it through the quality control process, target Windows users with trojan malware.

Top 5 Stories

News

Mozilla admits to possible leak of user information

29 December 2010

Mozilla, the developer of the Firefox browser, admitted that it accidentally posted sensitive information about the users of its addons.mozilla.org site to a public web server.

In an email to the site’s users, Mozilla said that a third party notified the company Dec. 17 that a file containing user records was posted to a public web server. Mozilla said the file contained user email addresses, first and last names, and MD5 password hashes.

“We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff”, the company said in its email.

Mozilla removed the passwords from the site and asked users to reset their passwords for that site as well as other Mozilla sites. “We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure”, the email said.

In a Dec. 27 blog post, Chris Lyon, director of infrastructure security at Mozilla, said that the file included 44,000 inactive accounts using older, MD5 password hashes. The company erased the MD5 passwords, rendering the accounts inactive. Lyon stressed that current users employ the more secure SHA-512 password hash with per-user salts and therefore are “not at risk”.

In a blog post, Chester Wisniewski, senior security advisor at Sophos Canada, explained the problem with the MD5 password hashes: “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password”.

Wisniewski commended Mozilla for its rapid response to the incident but wondered how the company accidentally published the files in first place and why it still had MD5 password hashes in its system.

“If you are a web site administrator/developer, are you still storing passwords using methods like Gawker (DES) or Mozilla (MD5)? We know they are broken, and it is important to migrate away from these algorithms in case you have a database accidentally make its way outside of your organization”, he wrote.

This article is featured in:
Application Security • Data Loss  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012