addons.mozilla.org disclosure

Chris Lyon

19

On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

The database included 44,000 inactive accounts using older, md5-based password hashes.  We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure.  This information was also sent to impacted users by email on December 27th.

Chris Lyon
Director of Infrastructure Security

19 responses

  1. Khalil Fazal wrote on :

    I appreciate you and your team’s openness, many won’t.

  2. Seung Soo, Ha wrote on :

    “however as a precaution we felt we should disclose this issue”
    Is there any official internal protocol or procedure to decide on which issue to disclose and why?

    Nevertheless, Thanks.

  3. larry seltzer wrote on ::

    Everyone makes mistakes. This one was responsibly handled. Good job. Just one thing: I got the e-mail a while before this blog post or anything else about the matter was on the web. The e-mail looked legit, but…

  4. Schwindle Justinbert wrote on :

    If the 44.000 non-salted MD5 passwords are found, it won’t matter shit that there is another copy in SHA-512.

    The recovered plaintext passwords will allow whoever has downloaded the database and cracked them (a minimal effort given the non-saltyness and MD5) access to all of the accounts.

    So obviously, the accounts which were included in the downloadable archive should be completely disabled, NOT just have their MD5 field erased.

  5. Daniel Cater wrote on :

    Were the MD5 password hashes salted?

    What will be done to ensure that more care is taken with this kind of data in future?

  6. Alexandre Dulaunoy wrote on ::

    Great responsible disclosure.

    Instead of salted SHA-2, why didn’t you consider to use HMAC,CMAC or bcrypt with a cost value?

    Thanks.

  7. Theo wrote on :

    No warning posted on addons.mozilla.org or http://www.mozilla.org?

  8. Solar Designer wrote on ::

    As I sure hope you’re aware, “raw” SHA-512 was never meant to be used for password hashing, and it is not good at that, not even if you add a salt. I hope you meant that you’re actually using SHA-crypt – http://www.akkadia.org/drepper/SHA-crypt.txt – one of the flavors of which (the one more suitable for 64-bit CPUs) is in fact based on SHA-512 (but uses a higher-level algorithm on top of SHA-512, which makes it suitable for password hashing). The other alternative, which provides about the same level of security, is OpenBSD-style Blowfish-based bcrypt: http://www.openwall.com/crypt/

    If you’re in fact using SHA-512 with mere salting but no stretching, it is time for you to switch to a proper password hashing method now: http://www.openwall.com/articles/PHP-Users-Passwords

    Also, proper password strength checking is highly desirable: http://www.openwall.com/lists/announce/2010/12/10/2 (“GNU Savannah integrates passwdqc”).

  9. Evan Carroll wrote on ::

    Was the database salted?

  10. Tomer Cohen wrote on ::

    Someone told us on our local community website that he received a message from Mozilla, indicating that his password may have been leaked. Can you please confirm that you sent a message to some or all of the users?

    Thanks.

  11. Ken Saunders wrote on ::

    Mozilla’s openness is awesome.
    I’m sure that there are many, many people who do not realize or appreciate it.

    Thanks sincerely.

  12. Arun wrote on ::

    Well said, I agree with Ken.

  13. David wrote on :

    And do I need to do anything, change a password?

  14. George wrote on :

    an included link to that page would be much useful just to know that the email is not a spam!
    anyway, thanks for letting me know!
    Happy New Year!

  15. Chris Lyon wrote on ::

    @Daniel, Prior to 2009, we were using md5 not salted. Post 2009, we are using SHA-512 with per user salt.

    We’ve been in contact with the 3rd party security researcher, Florian Grunow, and he has confirmed that he hasn’t distributed the data in any form.

  16. Geek wrote on ::

    Good that you fixed this early. Threw my experience I know that md5 encrypted passwords can sometimes be figured out easily using rainbow tables or just the google search :-)

    Regards.

  17. Fendi wrote on :

    Glad this came up publicly, and resolve the issues openly as ken stated!

  18. Avocat wrote on ::

    Thanks for posting this. It sets an example on how to handle security disclosure. Mozilla really puts the users first.

  19. Jonny N wrote on :

    @Chris Can you elaborate on the salting method? I’m interested in doing something similar. Eg. what is the salt – another hash like md5 or sha-1? A random integer? Do you have an additional code-based salt you add in too, or do you use stretching (x many iterations of applying the salt).

    Anyone else able to provide wisdom in this area?