Feeds

Mozilla addons site targeted in same attack that hit Google

Counterfeiters mint SSL cert for addons.mozilla.org

Top three mobile application threats

The secure webpage hosting addons for Mozilla Firefox was targeted in the same attack that minted a fraudulent authentication credential for Google websites, the maker of the open-source browser said.

"DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," Johnathan Nightingale, Mozilla's director of Firefox development, wrote in a statement. "In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users."

Nightingale didn't say how many Mozilla certificates were issued and if they were actively used to intercept the communications of people accessing the address. The site hosts hundreds of thousands of addons that give the Thunderbird and Firefox programs powerful functions not included by default.

On Tuesday, Google said a bogus secure sockets layer certificate issued by Dutch firm DigiNotar was used to spy on people located in Iran while visiting Gmail. Counterfeit credentials for “a number of domains” were minted following a security breach on its systems, DigiNotar has said.

Mozilla's confirmation came a few hours after a Dutch news service reported (English translation here) that the DigiNotar breach affected Mozilla and at least four other organizations. Fraudulent certificates for Yahoo.com, the Tor Project, WordPress and the Baladin blogging service in Iran were also generated, the service said without citing any source for that information.

Representatives from Yahoo, the Tor Project, and WordPress didn't immediately respond to inquiries seeking confirmation.

The breach of DigiNotar gave the attackers the digital credentials needed to host spoofs of virtually any Google property that were almost indistinguishable to people using networks controlled by the hackers. The fraudulent certificate showed it was issued on July 10, but it came to light only on Monday. Google hasn't said how long the counterfeit certificate was actively being used in the wild.

An update to Google's open-source Chromium browser published Tuesday appeared to blacklist 247 certificates issued by DigiNotar, suggesting the breach may have been more widespread than previously believed. The certificate authority, which is owned by Vasco Data Security, an Oakbrook Terrace, Illinois-based provider of two-factor authentication products, has declined to quantify the extent of the attack, except to say it affected “a number of domains” including Google's.

Both Google and Microsoft have declined to say how many DigiNotar certificates they plan to blacklist in their software. Representatives from Mozilla have yet to respond to inquiries.

The possibility that other sensitive websites were also targeted only adds to the uncertainty about how widespread the attack was felt. ®

This story was updated to add comment from Johnathan Nightingale and details about the potential number of fraudulent certificates issued.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.