Closed Bug 619999 Opened 14 years ago Closed 14 years ago

Complete database dump disclosure - addons.mozilla.com

Categories

(Websites :: other.mozilla.org, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: blair-witch, Unassigned)

References

()

Details

(Keywords: sec-critical, wsec-disclosure, Whiteboard: [infrasec:other][ws:critical])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Build Identifier: 

I have been looking around a bit again because of the Mozilla security bounty program. I dug a little deeper now after finding this: https://bugzilla.mozilla.org/show_bug.cgi?id=619702

This time it's a little bit more serious. In fact, this time it is a major fuckup I guess.

Looking at the url above, you will find a complete mysql dump of remora, including email addresses and password hashes (even md5s) for addons.mozilla.com. 

You should fix this NOW! I just found it via google.

Maybe you should think about some kind of policy for the guys under people.mozilla.com. This will not be the fix, but maybe it will sensitize some of the guys not uploading critical, productive data!

I will contact security@mozilla.com about this referencing the bounty program.

I have not and will not disclose any of the data in the dump.

Reproducible: Always

Steps to Reproduce:
1. visit url above
Actual Results:  
total pwnage
Thanks. The file has been removed for now. We'll be in touch as to any bounty information.
Severity: critical → blocker
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Priority: -- → P1
Resolution: --- → FIXED
Whiteboard: [infrasec:other][ws:critical]
Flags: sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.