{"id":2323,"date":"2018-06-25T12:58:20","date_gmt":"2018-06-25T19:58:20","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2323"},"modified":"2018-06-26T05:13:54","modified_gmt":"2018-06-26T12:13:54","slug":"scanning-breached-accounts-k-anonymity","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/","title":{"rendered":"Scanning for breached accounts with k-Anonymity"},"content":{"rendered":"<p>The new <a href=\"https:\/\/blog.mozilla.org\/futurereleases\/2018\/06\/25\/testing-firefox-monitor-a-new-security-tool\/\">Firefox Monitor<\/a> service will use <a href=\"https:\/\/www.troyhunt.com\/were-baking-have-i-been-pwned-into-firefox-and-1password\">anonymized range query API endpoints from Have I Been Pwned<\/a> (HIBP). This new Firefox feature allows users to check for compromised online accounts while preserving their privacy.<\/p>\n<div id=\"attachment_2325\" style=\"width: 540px\" class=\"wp-caption alignnone\"><img aria-describedby=\"caption-attachment-2325\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2325 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png\" alt=\"An API request reveals sensitive data about the requesting party.\" width=\"530\" height=\"300\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png 530w, https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM-252x143.png 252w\" sizes=\"(max-width: 530px) 100vw, 530px\" \/><p id=\"caption-attachment-2325\" class=\"wp-caption-text\">An API request can reveal subject identifiers like cookies, IP address, etc.<\/p><\/div>\n<h2>Anonymizing Account Identifiers<\/h2>\n<p>Operations like <i>\u2018search\u2019<\/i> often need plaintext, or simply-hashed data. But, as<a href=\"https:\/\/blog.cloudflare.com\/validating-leaked-passwords-with-k-anonymity\/\"> Cloudflare has described<\/a> in their own HIBP integration, searching with plain account data introduces privacy &amp; security risks that allow an adversary, or even the service itself, to use the data to breach the searched account.<\/p>\n<p>As an alternative, a user search client could download an entire set of data. Unfortunately this practice discloses all the service data to the client, which could abuse the data of all other users.<\/p>\n<h2>Anonymized Data Sharing<\/h2>\n<p>To mitigate these risks, Mozilla is working with <a href=\"https:\/\/www.troyhunt.com\/\">Troy Hunt<\/a> &#8211; creator and maintainer of HIBP &#8211; to use new <i>hash range query<\/i> API endpoints for breached account data in the Firefox Monitor project.<\/p>\n<p>Hash range queries add<a href=\"https:\/\/en.wikipedia.org\/wiki\/K-anonymity\"> k-Anonymity<\/a> to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data.<\/p>\n<p>When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the <i>first 6 characters<\/i> to the HIBP API. For example, the value &#8220;<code>test@example.com<\/code>&#8221; hashes to <code>567159d622ffbb50b11b0efd307be358624a26ee<\/code>. We send this hash prefix to the API endpoint:<\/p>\n<pre>GET https:\/\/haveibeenpwned.com\/api\/breachedaccount\/range\/567159<\/pre>\n<p>The API responds with many suffixes and the list of breaches that include the full value:<\/p>\n<div class=\"panelContent\">\n<pre class=\"data\">[\r\n  {\r\n    \"HashSuffix\": \"D622FFBB50B11B0EFD307BE358624A26EE\",\r\n    \"Websites\": [\r\n      \"LinkedIn\"\r\n    ]\r\n  },\r\n  {\r\n    \"HashSuffix\": \"0000000000000000000000000000000000\",\r\n    \"Websites\": [\r\n      \"Dropbox\"\r\n    ]\r\n  },\r\n  {\r\n    \"HashSuffix\": \"1111111111111111111111111111111111\",\r\n    \"Websites\": [\r\n      \"Adobe\",\r\n      \"Plex\"\r\n    ]\r\n  }\r\n]<\/pre>\n<p>When Firefox Monitor receives this response, it loops thru the objects to find which (if any) prefix and breached account HashSuffix equals the the user-submitted hash value. The following pseudo code describes the algorithm in more detail:<\/p>\n<pre>if (fullUserHash === userHashPrefix + breachedAccount.HashSuffix)<\/pre>\n<p>Using the running example from above, for the first <code>HashSuffix<\/code>, the expression evaluates to:<\/p>\n<pre>if (\u2018567159D622FFBB50B11B0EFD307BE358624A26EE\u2019 ===\r\n    \u2018567159\u2019+\u2018D622FFBB50B11B0EFD307BE358624A26EE\u2019)\r\n<\/pre>\n<p>Firefox Monitor discovers that \u201c<code>test@example.com<\/code>\u201d appears in the LinkedIn breach, but does not disclose plaintext or even hashes of sensitive user data. Further, HIBP does not disclose its entire set of hashes, which allows Firefox users to maintain their privacy, and protects breached users from further exposure.<\/p>\n<h2>Brute Force Attacks<\/h2>\n<p>Hashed data is still vulnerable to brute-force attacks. An adversary could still loop thru a dictionary of email addresses to find the plaintext of all the range query results. To reduce this attack surface, Firefox Monitor does not store the range queries nor any results in its database. Instead, it caches a user&#8217;s results in an<a href=\"https:\/\/hacks.mozilla.org\/2012\/12\/using-secure-client-side-sessions-to-build-simple-and-scalable-node-js-applications-a-node-js-holiday-season-part-3\/\"> encrypted client session<\/a>. We also monitor our scan endpoint to prevent abuse by an adversary attempting a brute force breached-account enumeration attack against our service.<\/p>\n<h2>Helping Subjects of Data Breaches<\/h2>\n<p>HIBP contains billions of records of email addresses. Troy has done an outstanding job to<a href=\"https:\/\/www.troyhunt.com\/the-legitimisation-of-have-i-been-pwned\/\"> raise awareness and educate users about breaches globally<\/a>. Breached sites embrace HIBP, even self-submitting their breached data. HIBP is there to help victims of data breaches after things go wrong, and Firefox Monitor is extending that help to more people.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The new Firefox Monitor service will use anonymized range query API endpoints from Have I Been Pwned (HIBP). This new Firefox feature allows users to check for compromised online accounts &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/\">Read more<\/a><\/p>\n","protected":false},"author":285,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[847,69],"tags":[],"coauthors":[127141],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Scanning for breached accounts with k-Anonymity - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"To help users check for compromised online accounts while preserving their privacy, the upcoming Firefox Monitor service will use new anonymized range query API endpoints from Have I Been Pwned.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Luke Crouch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/\",\"name\":\"Scanning for breached accounts with k-Anonymity - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png\",\"datePublished\":\"2018-06-25T19:58:20+00:00\",\"dateModified\":\"2018-06-26T12:13:54+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954\"},\"description\":\"To help users check for compromised online accounts while preserving their privacy, the upcoming Firefox Monitor service will use new anonymized range query API endpoints from Have I Been Pwned.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png\",\"width\":530,\"height\":300,\"caption\":\"An API request reveals sensitive data about the requesting party.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Scanning for breached accounts with k-Anonymity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954\",\"name\":\"Luke Crouch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/1b48bfd9be84cb33b2259056825f5338\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g\",\"caption\":\"Luke Crouch\"},\"description\":\"Privacy Engineer\",\"sameAs\":[\"https:\/\/groovecoder.com\",\"https:\/\/x.com\/groovecoder\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Scanning for breached accounts with k-Anonymity - Mozilla Security Blog","description":"To help users check for compromised online accounts while preserving their privacy, the upcoming Firefox Monitor service will use new anonymized range query API endpoints from Have I Been Pwned.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/","twitter_misc":{"Written by":"Luke Crouch","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/","name":"Scanning for breached accounts with k-Anonymity - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png","datePublished":"2018-06-25T19:58:20+00:00","dateModified":"2018-06-26T12:13:54+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954"},"description":"To help users check for compromised online accounts while preserving their privacy, the upcoming Firefox Monitor service will use new anonymized range query API endpoints from Have I Been Pwned.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/Screen-Shot-2018-05-24-at-9.47.46-AM.png","width":530,"height":300,"caption":"An API request reveals sensitive data about the requesting party."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/06\/25\/scanning-breached-accounts-k-anonymity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Scanning for breached accounts with k-Anonymity"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954","name":"Luke Crouch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/1b48bfd9be84cb33b2259056825f5338","url":"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g","caption":"Luke Crouch"},"description":"Privacy Engineer","sameAs":["https:\/\/groovecoder.com","https:\/\/x.com\/groovecoder"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2323"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/285"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2323"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2323\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2323"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}