All tricks in this blog are only for educational purpose. Learn these tricks only for your knowledge. Please donot try these to harm any one. We will not take any responsibility in any case. All softwares and tools on this site are here for private purposes only and If you want to use a software for business purpose, please purchase it. I do not host many of these tools. I Post links that I have found from numerous Search engines. I will not be responsible for any of harm you will do by using these tools.


Friday, December 31, 2010

Mozilla Passwords Leaked, No Reason to Panic

A database containing 44,000 usernames and password hashes associated with accounts registered on the Mozilla add-ons website was accidentally made public, the organization and makers of the Firefox Web browser said on Monday. The partial database of user accounts was mistakenly left on a public server, which would have allowed anyone to access the account usernames and the password hashes.

The good news? Says : no one did. Well, no one except for the one researcher who found them.

According to a post on the blog, a researcher reported the issue via ’s Web bounty program, a program that encourages external, non-employee professionals to find and submit bugs to . In return, pays cash ($500 to $3,000 for valid bugs) for the submissions. Although isn’t saying, this is probably one of those $3,000 rewards.

This news comes on the heels of another high-profile password breach – the mid-December hacker attack on Gawker Media’s servers, which ended up exposing the usernames and passwords of 1.3 million user accounts, created for commenting purposes on popular weblogs like Gawker, Gizmodo, LifeHacker, Kotaku, io9, Jezebel and others.

How Were the Passwords Protected?

Like Gawker’s passwords, which were poorly encrypted using DES encryption, an older, less secure technology, ’s passwords in this instance were protected with MD5 hashes, another older method of protection. These passwords can be cracked, explains Chester Wisniewski on the Sophos security blog. “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings,” he says. “This permits experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.”

hasn’t used MD5 since April 9, 2009 – it now uses SHA-512, a significantly stronger encryption method. The database in question, however, housed older, inactive accounts using the MD5-hashed passwords.

What’s Being Done

To address the issue, says it erased all the MD5 passwords, effectively disabling the accounts.

Chris Lyon, Director of Infrastructure for says “the issue posed minimal risk to users,” because the only person, according to ’s logs, who accessed the database was the researcher who reported the problem. Lyon also reassured users that the incident did not impact any of ’s infrastructure.

While the risk may be minimal, Wisniewski suggests that anyone contacted by as having been one of the unfortunate users whose account information was exposed should make sure they are not using that same password at other websites, just in case. If so, change those passwords immediately. “If [ is] wrong or if the discloser is not trustworthy, your other accounts may be at risk,” he says.


Post a Comment