{"id":1489,"date":"2013-10-02T09:00:25","date_gmt":"2013-10-02T16:00:25","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1489"},"modified":"2013-10-02T08:41:04","modified_gmt":"2013-10-02T15:41:04","slug":"bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/","title":{"rendered":"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona"},"content":{"rendered":"<p>The purpose of our &#8220;Bug Bounty Program&#8221; is to encourage contributors to test and experiment with our code for the purposes of improving its functionality, security and robustness. Through this program we were recently alerted to a potential security flaw in one of our web services products.<\/p>\n<p><strong>Issue<\/strong><\/p>\n<p>On Tuesday, September 24th Mozilla was notified by a security researcher of a vulnerability within the Persona service that could potentially have allowed an attacker to authenticate to a Persona enabled website using the identity of an existing gmail or yahoo account.<\/p>\n<p>As of Tuesday, October 1st, we&#8217;ve deployed updates to Persona to fully address this security concern. We also reviewed available log data from Sept 10 through October 2nd and confirmed that this flaw has not been used to target any users.<\/p>\n<p><strong>Impact <\/strong><\/p>\n<p>The vulnerability could have allowed a malicious attacker to authenticate to a Persona enabled website using the identity of an existing gmail or yahoo account.<\/p>\n<p>Note: This issue only impacted the Persona service and sites that implement Persona. This vulnerability has no bearing on the security of a user&#8217;s gmail or yahoo email service.<\/p>\n<p><strong>Status<\/strong><\/p>\n<p>Mozilla immediately investigated and tested patches to address this issue. Initial patches to Persona were deployed on Friday, September 27th and additional patches for an identified edge case were deployed on Tuesday, October 1st.<\/p>\n<p>The vulnerability that led to this issue was created by incorrect assumptions of behavior and security with two third party libraries. We&#8217;ve captured these details more fully in a <a href=\"http:\/\/blog.mozilla.org\/security\/?p=1485\">technical post<\/a> on the issue authored by Lloyd Hilaiel.<\/p>\n<p>Credit for discovery of this issue goes to<br \/>\nDaniel Fett, Ralf Kuesters, and Guido Schmitz,<br \/>\nresearchers at the Chair of Information Security and Cryptography,<br \/>\nUniversity of Trier, Germany.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The purpose of our &#8220;Bug Bounty Program&#8221; is to encourage contributors to test and experiment with our code for the purposes of improving its functionality, security and robustness. Through this &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/\">Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/\",\"name\":\"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2013-10-02T16:00:25+00:00\",\"dateModified\":\"2013-10-02T15:41:04+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/","name":"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2013-10-02T16:00:25+00:00","dateModified":"2013-10-02T15:41:04+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/10\/02\/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Bug Bounty Program Finds and Helps Resolve Security Vulnerability in Persona"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1489"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1489"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1489\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1489"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}