On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported … Read more
Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web applications vulnerabilities. So we are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. Read more
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, … Read more
Update (Oct 27, 2010 @ 20:12): A fix for this vulnerability has been released for Firefox and Thunderbird users. Firefox 3.6.12 and 3.5.15 security updates now available Thunderbird 3.1.6 and … Read more
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. Read more
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed … Read more
Zack Weinberg did a great blog post explaining the recent changes in Firefox 3.5.11 and 3.6.7 to mitigate cross-site data theft using CSS. This is a mitigation for an issue … Read more
Issue There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that … Read more
I’ve posted some of my recent thinking on privacy and identity. For some time we’ve generally seen privacy treated as its own problem domain, oddly divorced from the realms of … Read more
Mozilla launched its security bounty program in 2004 and while the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In … Read more
Adobe recently released a security advisory for Flash Player, Adobe Reader and Acrobat. The advisory stated a critical vulnerability existed in all versions of Flash prior to and including 10.0.45.2. … Read more
It’s been a few months since I wrote about the work our plugin check team has been doing, but there are a couple of pretty excellent pieces of news I’d … Read more