User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:188.8.131.52) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Build Identifier: I have been looking around a bit again because of the Mozilla security bounty program. I dug a little deeper now after finding this: https://bugzilla.mozilla.org/show_bug.cgi?id=619702 This time it's a little bit more serious. In fact, this time it is a major fuckup I guess. Looking at the url above, you will find a complete mysql dump of remora, including email addresses and password hashes (even md5s) for addons.mozilla.com. You should fix this NOW! I just found it via google. Maybe you should think about some kind of policy for the guys under people.mozilla.com. This will not be the fix, but maybe it will sensitize some of the guys not uploading critical, productive data! I will contact email@example.com about this referencing the bounty program. I have not and will not disclose any of the data in the dump. Reproducible: Always Steps to Reproduce: 1. visit url above Actual Results: total pwnage
Thanks. The file has been removed for now. We'll be in touch as to any bounty information.