A database containing 44,000 usernames and password hashes associated with accounts registered on the Mozilla add-ons website was accidentally made public, the organization and makers of the Firefox Web browser said on Monday. The partial database of user accounts was mistakenly left on a Mozilla public server, which would have allowed anyone to access the account usernames and the password hashes.
The good news? Says Mozilla: no one did. Well, no one except for the one security researcher who found them.
According to a post on the Mozilla security blog, a security researcher reported the issue via Mozilla’s Web bounty program, a program that encourages external, non-employee security professionals to find and submit bugs to Mozilla. In return, Mozilla pays cash ($500 to $3,000 for valid bugs) for the submissions. Although Mozilla isn’t saying, this is probably one of those $3,000 rewards.
This news comes on the heels of another high-profile password breach – the mid-December hacker attack on Gawker Media’s servers, which ended up exposing the usernames and passwords of 1.3 million user accounts, created for commenting purposes on popular weblogs like Gawker, Gizmodo, LifeHacker, Kotaku, io9, Jezebel and others.
How Were the Passwords Protected?
Like Gawker’s passwords, which were poorly encrypted using DES encryption, an older, less secure technology, Mozilla’s passwords in this instance were protected with MD5 hashes, another older method of protection. These passwords can be cracked, explains Chester Wisniewski on the Sophos security blog. “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings,” he says. “This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.”
Mozilla hasn’t used MD5 since April 9, 2009 – it now uses SHA-512, a significantly stronger encryption method. The database in question, however, housed older, inactive accounts using the MD5-hashed passwords.
What’s Being Done
To address the issue, Mozilla says it erased all the MD5 passwords, effectively disabling the accounts.
Chris Lyon, Director of Infrastructure Security for Mozilla says “the issue posed minimal risk to users,” because the only person, according to Mozilla’s logs, who accessed the database was the security researcher who reported the problem. Lyon also reassured users that the incident did not impact any of Mozilla’s infrastructure.
While the risk may be minimal,? Wisniewski suggests that anyone contacted by Mozilla as having been one of the unfortunate users whose account information was exposed should make sure they are not using that same password at other websites, just in case. If so, change those passwords immediately. “If [Mozilla is] wrong or if the discloser is not trustworthy, your other accounts may be at risk,” he says.