Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona

mcoates

The purpose of our “Bug Bounty Program” is to encourage contributors to test and experiment with our code for the purposes of improving its functionality, security and robustness. Through this program we were recently alerted to a potential security flaw in one of our web services products.

Issue

On Tuesday, September 24th Mozilla was notified by a security researcher of a vulnerability within the Persona service that could potentially have allowed an attacker to authenticate to a Persona enabled website using the identity of an existing gmail or yahoo account.

As of Tuesday, October 1st, we’ve deployed updates to Persona to fully address this security concern. We also reviewed available log data from Sept 10 through October 2nd and confirmed that this flaw has not been used to target any users.

Impact

The vulnerability could have allowed a malicious attacker to authenticate to a Persona enabled website using the identity of an existing gmail or yahoo account.

Note: This issue only impacted the Persona service and sites that implement Persona. This vulnerability has no bearing on the security of a user’s gmail or yahoo email service.

Status

Mozilla immediately investigated and tested patches to address this issue. Initial patches to Persona were deployed on Friday, September 27th and additional patches for an identified edge case were deployed on Tuesday, October 1st.

The vulnerability that led to this issue was created by incorrect assumptions of behavior and security with two third party libraries. We’ve captured these details more fully in a technical post on the issue authored by Lloyd Hilaiel.

Credit for discovery of this issue goes to
Daniel Fett, Ralf Kuesters, and Guido Schmitz,
researchers at the Chair of Information Security and Cryptography,
University of Trier, Germany.