Wednesday, December 29, 2010

Weak Excuses after Weak Security :: Mozilla's user a/c on Public Server

now this year has been filled with loads of news related to user-data getting leaked from different websites... but it wasn't much disturbing as web-vulnerabilities in Facebook are well known and accepted as cons of the deal and neither 1.3m a/c details leaked from Gawker came as a shock (it was more of a Tweet-Flood)
but
On Dec-17-2010, Mozilla was reported about availability of its user-accounts (partially, which were used on addons.mozilla.org) over a public server.
They have projects like Firefox (super famous web-browser), NSS (one of the most famous libraries for developing secured client-server application), and more... if an organization like them do a mistake like this, oh yeah... hackers paradise

it's how they defend themselves...
  • database included 44,000 inactive accounts using older
    but don't you think... even inactive users on a site deserve their privacy, and if they were inactive and not important then better purge the information pertaining to account... why keep it instead
  • md5-based password hashes
    they don't use it now... for active users they support SHA-512 per-user-salt mechanism; now that's good
  • current addons.mozilla.org users and accounts are not at risk
    so if I don't use Mozilla anymore... they wouldn't respect my a/c details anymore and still keep it... so that in future they could 'arrrrgh sorrry' me, brutally nice
  • incident did not impact any of Mozilla’s infrastructure
    it was available on a public server and not a hacked-n-fetched... bravo
  • only outsider who accessed the data was the security researcher that reported the mistake to Mozilla
    how are they so sure... if none else reported it doesn't mean that none else saw it, and it is not necessary that everyone accessing it will 'remain in' logs.

References:
http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
http://www.thetechherald.com/article.php/201052/6620/Mozilla-password-disclosure-a-non-event

No comments:

Post a Comment

Post a Comment