Firefox hooks up with HaveIBeenPwned for account pwnage probe
For now, let's ponder browser version 61 adding code that lets extensions close tabs
Firefox has started testing an easier way for users to check whether they're using an online service that has been hacked, through integration with Troy Hunt's HaveIBeenPwned database.
The hookup will work like this: part of a user's email address is hashed, and this hash is used to check if the address appears in HaveIBeenPwned's database of 5.1 billion email addresses linked to compromised internet accounts.
The “Firefox Monitor” test will start with 250,000 users, mostly in the US, according to Mozilla's announcement this week.
Mozilla first revealed its work on the tool in November 2017, and at that time, said a major challenge was to check a user's data against Haveibeenpwned without risking user privacy.
Back then, developer Nihanth Subramanya posed that problem this way: “Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address?”
Working with Hunt and Cloudflare, Mozilla has come up with an anonymisation approach called k-Anonymity.
Instead of plaintext queries, Firefox Monitor's approach is to use “hash range query API endpoints” to handle the data. “When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API. For example, the value 'firstname.lastname@example.org' hashes to
567159d622ffbb50b11b0efd307be358624a26ee ”, according to a blog post explaining the k-Anonymity mechanism.
That isn't going to yield a single exact match, so Firefox Monitor loops through the objects returned by the API “to find which (if any) prefix and breached account HashSuffix equals the the user-submitted hash value”.
Here's a bit more explanation:
Firefox Monitor discovers that “email@example.com” appears in the LinkedIn breach, but does not disclose plaintext or even hashes of sensitive user data. Further, HIBP does not disclose its entire set of hashes, which allows Firefox users to maintain their privacy, and protects breached users from further exposure.
Troy Hunt wrote that the average k-Anonymity API query returns 477 responses.
The k-Anonymity feature was developed in cooperation with Cloudflare, whose Junade Ali provided this explanation in February, and it also forms the basis of Hunt's HIBP integration with 1Password.
However, don't expect the API to become available to the public, Hunt warned: “it could massively accelerate enumeration activities”.
Meanwhile, meet Firefox 61
While you wait for all that goodness to land in Firefox, the 61st version of its browser has become available.
Big features this time around include "Tab warming", which starts to load a tab once a pointer hovers over it, easier search engine management, plus an "Accessibility Tools Inspector" that lets "creators and developers to now easily make pages for users with accessibility requirements."
Another new feature is called "WebExtension Tab Management" and will mean that "WebExtensions can now hide tabs as well as manage the behavior of the browser when a tab is opened or closed, so you can expect to see exciting new extensions that take advantage of these features in the near future."
Exciting? We hope in a positive way, given the frequent presence of malicious browser extensions in app stores. ®