Feeds

Mozilla addons site targeted in same attack that hit Google

Counterfeiters mint SSL cert for addons.mozilla.org

The Essential Guide to IT Transformation

The secure webpage hosting addons for Mozilla Firefox was targeted in the same attack that minted a fraudulent authentication credential for Google websites, the maker of the open-source browser said.

"DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," Johnathan Nightingale, Mozilla's director of Firefox development, wrote in a statement. "In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users."

Nightingale didn't say how many Mozilla certificates were issued and if they were actively used to intercept the communications of people accessing the address. The site hosts hundreds of thousands of addons that give the Thunderbird and Firefox programs powerful functions not included by default.

On Tuesday, Google said a bogus secure sockets layer certificate issued by Dutch firm DigiNotar was used to spy on people located in Iran while visiting Gmail. Counterfeit credentials for “a number of domains” were minted following a security breach on its systems, DigiNotar has said.

Mozilla's confirmation came a few hours after a Dutch news service reported (English translation here) that the DigiNotar breach affected Mozilla and at least four other organizations. Fraudulent certificates for Yahoo.com, the Tor Project, WordPress and the Baladin blogging service in Iran were also generated, the service said without citing any source for that information.

Representatives from Yahoo, the Tor Project, and WordPress didn't immediately respond to inquiries seeking confirmation.

The breach of DigiNotar gave the attackers the digital credentials needed to host spoofs of virtually any Google property that were almost indistinguishable to people using networks controlled by the hackers. The fraudulent certificate showed it was issued on July 10, but it came to light only on Monday. Google hasn't said how long the counterfeit certificate was actively being used in the wild.

An update to Google's open-source Chromium browser published Tuesday appeared to blacklist 247 certificates issued by DigiNotar, suggesting the breach may have been more widespread than previously believed. The certificate authority, which is owned by Vasco Data Security, an Oakbrook Terrace, Illinois-based provider of two-factor authentication products, has declined to quantify the extent of the attack, except to say it affected “a number of domains” including Google's.

Both Google and Microsoft have declined to say how many DigiNotar certificates they plan to blacklist in their software. Representatives from Mozilla have yet to respond to inquiries.

The possibility that other sensitive websites were also targeted only adds to the uncertainty about how widespread the attack was felt. ®

This story was updated to add comment from Johnathan Nightingale and details about the potential number of fraudulent certificates issued.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.