Hello and happy New Year everyone!
I have just scanned my mailbox for new emails, and one of them particularly caught my attention: Its title was “Important notice about your addons.mozilla.org account”. To be honest, I did not remember I even had an account there, but because they claimed it were important, I read it. Reading it proved to be worthwhile and here are the most important passages of the text:
“Subject: Important notice about your addons.mozilla.org account
The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. […] On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers. […] This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.”
So effectively they are telling you that they hashed your full name, your email address and the MD5 hash of your password because someone put a file into public that did not belong there. What really puzzled me was not the fact that this awkward incident happened, but rather the wording of the emphasised sentence: It said nothing about whether salting was used to additionally protect the password; is it possible that a company like Mozilla does not consider the user passwords to be sensitive enough to add the additional security layer of salting?
But it is not all bad, they disabled the accounts where data was possibly leaked, investigated on the issue and promise not to let it happen again. The last sentence of the sentence also promises that they may add salting, if they do not already do it.
“The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don't need to do anything if you do not want to use your account. It is disabled until you perform the password recovery. We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.”
So, curious on whether salting is used at Mozilla's, I decided to contact the address they supplied for questions with the following email.
Subject: Protection of user data
Dear sir or madam!
The email your corporation has sent on 28.12.2010 concerning possible disclosure of user data on addons.mozilla.org has left me with the question of whether the user passwords stored in your database are salted or not. I consider salting of user passwords to be of utmost importance, as it significantly reduces the risk of disclosing
passwords by preventing the attacker to use a rainbow attack. The wording that elaborated which data has been leaked in the abovementioned email (“The file included email addresses, first and last names, and an md5 hash representation of your password.”) has left me with the impression that you do not salt user passwords and thus I would really appreciate if you could give me definite
information about the matter.
Best regards,
Florian Mayer
PS: I will make available publicly the information contained in the response to this email unless explicitly stated otherwise, as I firmly believe people have a right to know how the data they give away is secured and think the principles of openness repeatedly expressed by your corporation require the same.
To be continued …
