Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Posts File Containing Registered User Data

Posted by Soulskill on from the heads-up dept.

wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."

24 of 154 comments (clear)

  1. Don't fret before reading TFA... by ferongr · · Score: 2, Informative

    TFA says that it was the user database of the AMO (addons.mozilla.com) website, nothing to so with the Sync server.

    1. Re:Don't fret before reading TFA... by cheater512 · · Score: 4, Informative

      Nope no exploit. They just accidentally made a backup publicly accessible.

      They went through the logs and no one actually downloaded it except the person who notified them of the problem.

    2. Re:Don't fret before reading TFA... by Anonymous Coward · · Score: 4, Funny

      I just checked with the RIAA and they said that it is likely that thousands of people downloaded it from that person's machine.

    3. Re:Don't fret before reading TFA... by ehrichweiss · · Score: 2

      I wish I had mod points and that you weren't logged in as A/C because *that* my friend is CLASSIC!

      --
      0x09F911029D74E35BD84156C5635688C0
  2. Mozilla's public disclosure by Giorgio+Maone · · Score: 5, Informative

    http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
    Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
    1. Re:Mozilla's public disclosure by Rich0 · · Score: 5, Interesting

      if they have the bad habit of using the same password everywhere

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

      Passwords are false security - they are a way to CYA and blame the victim for causing the problem, while giving them no realistic solution. Sites that depend on their users choosing unique passwords for security are simply insecure, period.

    2. Re:Mozilla's public disclosure by Rich0 · · Score: 2

      That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

      It isn't like I only access the web from one terminal...

    3. Re:Mozilla's public disclosure by Rich0 · · Score: 2

      What would be the point?

      Suppose the gizmodo password hashes are leaked, and somebody figures out that my username is rich0 and my password is gizmodo875.

      Does it do me any good that my slashdot password is slashdot875?

      This is why password aging is useless - if somebody finds the password of useless12 no longer works on a site that enforces aging they just have to log in using useless13 and that will work for 99% of accounts.

    4. Re:Mozilla's public disclosure by gbjbaanb · · Score: 2

      That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

      postit notes of course!

      Ok, I use Keepass which is brilliant, and will work on your phone too, so you have no excuse to have a DB of passwords (randomly generated by Keepass itself if necessary). The db and app is tiny and will happily install onto other systems (by copying the keepass binary and the db file) so you only need to find a way to keep your db file updated... personally, I use a usb drive as my passwords don't change that often. If I have to copy it onto a computer that doesn't allow usb... I zip and email it to myself instead.

      Its not an insurmountable problem, and the relatively minor inconvenience of being organised with 1 file is a lot less hassle than updating a hundred sites that you used a single compromised password on.

      Xmarks is still kicking though, that lets you store passwords and you can encrypt them, not that I use it for passwords.

    5. Re:Mozilla's public disclosure by multipartmixed · · Score: 2

      > Bonus points if you change your passwords once in a while.

      I change my "Lev6" passwords now and again, and those are the only ones I write down -- because they DON'T have password recovery mechanisms.

      I write them down in my phone, which I keep on me at all times, and a trusted friend knows how to retrieve them in case I get killed.

      The reason I change them now and again is because I occasionally lose my phone... :/

      --

      Do daemons dream of electric sleep()?
    6. Re:Mozilla's public disclosure by Rich0 · · Score: 3, Insightful

      I think you're stretching "easily computable" - when I want to log into a website I don't want to spend 10 minutes with a calculator and an ascii table, or require access to the md5sum application.

      Plus, this only works if it remains an uncommon way of generating passwords. If it becomes commonplace, then if a hacker can run through a bazillion md5 sums do you think that it will take them long to include variants of site names represented as ascii in their attacks? Once they figure out your algorithm through brute-force then it can be trivially applied to any other sites you have accounts on.

  3. Kudos to Mozilla by duvel · · Score: 5, Interesting

    This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are:
      - Communicate early (even if you don't have all the facts yet)
      - Communicate honestly (even if you're to blame)
      - Promise follow-up (as needed)
    Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

    --

    I have a photographic memory for numbers. I know almost a hundred of them.

    1. Re:Kudos to Mozilla by partyguerrilla · · Score: 2

      I disagree, mistakes like this should not happen at all.

    2. Re:Kudos to Mozilla by kestasjk · · Score: 3, Funny

      Here at slashdot we try to be supportive when tech companies make mistakes; we never kick people when they're down or make fun.

      Mozilla may not be our favorite tech company and we may not agree with their software development methodology; but damn it we're not going to treat them any differently, and will give them our support just like we would any down-on-their-luck company which made a silly one-off mistake!

      --
      // MD_Update(&m,buf,j);
    3. Re:Kudos to Mozilla by higuita · · Score: 4, Insightful

      it should not happen, but we are all humans (i think!!) and human people do mistakes (and scripts/robots break and fail by the way)

      all of us that administer servers have done some mistake in the past and probably will make more in the future. We can try to put enough road blocks to reduce the severity of the mistake, but they happen.

      so as "sh*t happens", the openness and honesty of mozilla is to praise, most close source companies would try to hide and ignore things like this.

      --
      Higuita
    4. Re:Kudos to Mozilla by Opportunist · · Score: 5, Insightful

      No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?

      The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.

      But is that the right way to deal with a problem that can potentially affect your customers?

      I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.

      Outside the security concerned tech community, nobody even notices.

      So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Kudos to Mozilla by jamesh · · Score: 2

      I disagree, mistakes like this should not happen at all.

      That's a given, but mistakes will happen, and did happen, and they did the right thing in response. Once the crisis is over i'm sure they'll look at what went wrong and how to stop it happening in the future, so stepping up onto a soapbox and saying "this should not happen" doesn't actually help. I think they already know that, and your attitude makes it _worse_ because potential hostility from people who don't understand this stuff might make companies think twice about reporting, and then we all lose.

      The only thing worse than making a mistake is making a mistake and then making another mistake by not handling the crisis correctly. I'd rather know before the bad guys (or as soon as possible after) that my password was leaked in a relatively insecure form vs only finding out when the company is forced into admitting it. And in fact this leak appears to be relatively benign unless you use the same password in multiple places or are dumb enough to be under the illusion that your email address and full name isn't already in someone's inbox or address book somewhere for malware to find.

    6. Re:Kudos to Mozilla by mwvdlee · · Score: 2

      Wow, why didn't we all just think of that?
      All we need to do is be perfect; it's so simple!

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re:They handled it well by Opportunist · · Score: 3, Insightful

    Consider the consequences if it doesn't "excuse" it.

    Essentially, a company making a mistake has two choices: Hush it up or come forwards. Now, obviously the latter does not have any immediate benefit for them. It becomes known that they fucked up. Not good.

    Trying to cover it up has the nice effect that maybe nobody notices. And in this case, the chance of this happening was actually pretty high.

    If the net effect is the same, whether they cover it up or admit it, the choice is obvious. If I get accused of a crime and whether I plead not guilty (and hence force a lot of witnesses to testify and clog down the legal system) or guilty (and spare the witnesses to face me again, as well as running the whole process with far less waste of resources) has no effect on the verdict, nobody will plead guilty and confess anymore. Why should they? There's nothing to gain with it, is there?

    If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore. And that can cause quite a bit more harm if that info gets into the wrong hands and hence your passwords get known by people who might abuse them, all because a company decided to play possum and you not knowing that your credentials have been compromised.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:atleast by JackieBrown · · Score: 3, Informative

    I got one last night.

    Mozilla Add-ons to davidbroome
    show details 6:52 PM (11 hours ago)
    Dear addons.mozilla.org user,

    The purpose of this email is to notify you about a possible disclosure
    of your information which occurred on December 17th. On this date, we
    were informed by a 3rd party who discovered a file with individual user
    records on a public portion of one of our servers. We immediately took
    the file off the server and investigated all downloads. We have
    identified all the downloads and with the exception of the 3rd party,
    who reported this issue, the file has been download by only Mozilla
    staff. This file was placed on this server by mistake and was a partial
    representation of the users database from addons.mozilla.org. The file
    included email addresses, first and last names, and an md5 hash
    representation of your password. The reason we are disclosing this event
    is because we have removed your existing password from the addons site
    and are asking you to reset it by going back to the addons site and
    clicking forgot password. We are also asking you to change your password
    on other sites in which you use the same password. Since we have
    effectively erased your password, you don't need to do anything if you
    do not want to use your account. It is disabled until you perform the
    password recovery.

    We have identified the process which allowed this file to be posted
    publicly and have taken steps to prevent this in the future. We are also
    evaluating other processes to ensure your information is safe and secure.

    Should you have any questions, please feel free to contact the
    infrastructure security team directly at infrasec@mozilla.com. If you
    are having issues resetting your account, please contact
    amo-admins@mozilla.org.

    We apologize for any inconvenience this has caused.

    Chris Lyon
    Director of Infrastructure Security

  6. I think my Gmail was hacked because of this by kbg · · Score: 4, Informative

    The day before this was noticed my Gmail account was hacked by Chinese spammers and I know I used the same password there. So I am skeptical about the claims that no one had downloaded this file. The email only says when they noticed the problem, but doesn't specify how long the file was available before that. It could have been available for a long time.

  7. Encrypting passwords is less secure by Dr_Barnowl · · Score: 3, Insightful

    Urrgh.

    Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

    MD5 hashing is probably still a secure practice, done right, for a given degree of "secure". Like any kind of data security, it's all about raising the cost of obtaining the data beyond the amount that a given person is will to pay to do so. While MD5 costs less to crack these days, the cost to obtain each Mozilla user account password is probably still higher than most are willing to pay (although stealing the resources to do this via a botnet probably reduces this cost considerably).

    Given equally sound methodology, encrypting passwords is always less secure than hashing them, because encryption implies that you can retrieve the plaintext, which leaves it open to all sorts of additional attacks, like stealing the encryption keys along with the data, "persuading" the sysadmin to decrypt them with either a rubber hose or a wad of cash, etc, etc.

    On the other hand, hashing means that you genuinely cannot retrieve the password without expending a large amount of CPU time, and persuasion isn't going to help.

    Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password. It's acceptable to offer a means to force a password change, it is NOT acceptable to send my password to me via a medium that any intervening server could read, and it's not acceptable to be storing passwords as plaintext or even encrypted when it is demonstrably less secure than hashing and there is no benefit to retaining them.

    In fact, you should mail the sysadmin of any such system and let him know that his system is doing it wrong, and why.

    1. Re:Encrypting passwords is less secure by mysidia · · Score: 3, Informative

      Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

      Only if the keys are compromised.

      The correct thing to do is to encrypt each password and protect the key by storing it in a different place; for example, by storing it in a different database, and having a separate application that performs authentications, so no single application has access to both databases.

      That way, if the user file / user database is leaked someone cannot simply use a MD5 brute force attempt with some rainbow tables and a dictionary to get everyone's password.

      This is most useful when the plaintext version of the password is required for authentication processes such as CHAP or CRAM-MD5 authentication.

      When it is not required, you are best off taking a secure crypto hash of the password with a secret salt, and then encrypt the list of SHA1/SHA256 hashes.

      If the password file is leaked with the list of SHA256 hashes, they will be useless without the ability to find or guess the salt that was used to compute each password.

    2. Re:Encrypting passwords is less secure by carlhaagen · · Score: 4, Informative

      No, you're actually wrong - in the context of password protection, encrypting passwords means using a one-way encryption scheme. The method is in some ways similar to hashing, but the common process used is actually that of a modified version of the Blowfish crypto cipher resulting in a non-reversible output. The process is very time-consuming compared to generic hashing such as MD5, SHAx etc., and is practically impossible to create rainbow tables for, practically impossible to bruteforce. You can educate yourself further on the topic here: http://codahale.com/how-to-safely-store-a-password/