Mozilla Slips Up, Publishes User IDs and Encrypted Passwords
By on December 28th, 2010

Mozilla-Password-Breach Close on the heels of the Gawker Media security breach, Mozilla has disclosed that it had accidentally published a partial database of addons.mozilla.org user account information. As many as 44,000 user ids and password hashes were left publicly accessible.

The affected accounts were inactive ones, which were using md5-based password hashes. MD5 is a weak encryption technique that is crackable. Security firm Sophos explained:

MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.

Active accounts on Mozilla’s add-on repository use SHA-512 password hash with salting that offers stronger protection.

The good news is that almost no one noticed. According to Mozilla, the database was accessed by only one person outside of the company. That person is the security researcher who alerted Mozilla about the issue under the Web bounty program, which offers $500 to $3,000 in cash rewards for valid security related bug reports. Nevertheless, Mozilla has deleted the password of all the affected accounts as a precautionary measure.

Tags: , , ,
Author: Pallab De Google Profile for Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

Pallab De has written and can be contacted at pallab@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'advanced_comment' not found or invalid function name in /home/keith/techie-buzz.com/htdocs/wp-includes/comment-template.php on line 1694
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN