Cyber Bounty Hunter Discovers Mozilla Privacy Breach

Tech nerds developing software by day, unveiling privacy threats by night: is this the wave of the future? If the latest case of a privacy breach by Mozilla is any example then, yes, and the future is here.

Tech nerds developing software by day, unveiling privacy threats by night: is this the wave of the future? If the latest case of a privacy breach by Mozilla is any example then, yes, and the future is here.

Mozilla, maker of the Firefox browser, revealed this week that it accidentally exposed 44,000 inactive user accounts belonging to addons.mozilla.org on its public server.

And how did the open source company become aware of the exposure? Through the company’s web bounty program, which allows volunteers to submit security-related bugs.

The volunteer, a security researcher by day, first notified the company of the breach on December 17th, just two days after Mozilla announced it was expanding its vulnerability rewards program to include Web properties.

That news came on the heels of a similar move by Google.

With this breach, the volunteer discovered the database, which contained 44,000 inactive user accounts for the addons.mozilla.org site, was inadvertently placed on a public-facing Web server, explained Chris Lyon, Mozilla’s director of infrastructure security, in a blog posting.

Lyon stressed that the exposure “posed minimal risk to users.” The organization erased all the passwords, which were encrypted, and has since disabled those inactive accounts for good measure.

It also accounted for every download of the database.

The Mozilla Foundation notified all account holders by e-mail on December 27 of the exposure.

For its bounty program, Mozilla encourages researchers to download the open source code for its Web applications and look for errors.

Just last July, Mozilla increased the bounty it pays researchers from $500 to a maximum of $3,000.