MozillaZine fixes information leak
Three hours before Firefox 0.8 was released, I found a security hole in Mozillazine: you could see the titles of unpublished articles (e.g. http://mozillazine.org/talkback.html?article=4283) in the titlebar. Using this hole, I accidentally discovered the name change before the release. The hole has been fixed.
jesus_X informs me that long ago, MozillaZine let you see the full text of unpublished articles. I guess the original hole was partially fixed, leaving only the title of the article visible.
February 11th, 2004 at 9:29 am
It’s good that the hole has been fixed. MozillaZine rarely gets information in advance (they only knew of the name because Kerz came up with it), but it could be damaging if any info they did have got out early.
That said, if Jesus_X knew about this hole so long ago, why didn’t he inform anyone? So he could spy on MozillaZine, I guess.
February 11th, 2004 at 9:36 am
I don’t think jesus_X knew about the title leak until I told him about it.
February 11th, 2004 at 5:15 pm
I’m sure they were notified in advance enough to change the forum names, just like djst was notified so he could update his website before it was slashdotted.
February 11th, 2004 at 6:51 pm
Question: You’ve found a security hole in a website. What do you do?
A. Tell the maintainers of the site.
B. Tell their nearest competitor, allowing them to steal news.
I knew that reading the headlines of unpublished articles was possible under certain circumstances but thought that no-one else knew about it. In any case, most of the future article headlines are hardly top secret. I did take precautions with some sensitive articles though. I thought Kerz knew about the hole. Seems he didn’t.
This is the first I’ve ever heard of full articles being visible before publication.
We were told in advance about the name change, as well as the release dates and times. Similar to when we were told about the new end user services launch or last year’s major Roadmap update. Completely dissimilar to when we weren’t told about the creation of the Mozilla Foundation. They’re quite good about supplying prerelease news now.
February 11th, 2004 at 9:15 pm
To “b”: As Jesse said in a reply, I didn’t know about the headline-in-titlebar hole until he told me, as I don’t have the same security-hole detection abilities as Jesse does. He finds them everywhere, with amazing speed. It’s one his his many talents. As for not notifying anyone, as Jesse said, this was LONG ago that there was a hole I knew of, and it had long since been fixed. I have no such interest in spying on MoZine, flat out. Please keep those kinds of guesses to yourself.
To Alex: I don’t need to “steal” your news, nor did I. If you have problems with me, take it up with me, not in someone else’s blog comments. Jesse just happened to ask if I knew anything about the name change. He didn’t run to tell me of the bug. You only make yourself look bad when you try to insult myself and Jesse. You owe Jesse an apology.
February 12th, 2004 at 6:00 pm
jesus_X: I wasn’t trying to insult anyone, just expressing my surprise that a member of the Mozilla security group’s first thought on finding a bug in a popular Mozilla news site was not to tell the site’s maintainers but to discuss the issue with a maintainer of a rival site.
Maybe you don’t need to steal news. However, the fact remains that the Mozilla Foundation decided not to tell you about the name change for whatever reason, yet you still had an article ready in time for the midnight launch.
February 12th, 2004 at 6:25 pm
“I don’t think jesus_X knew about the title leak until I told him about it.
Posted by: Jesse Ruderman at February 11, 2004 09:36 AM “
You posted that yourself. You told someone else about a security hole, before coming to me about it. For being an expert in security related issues, you sure blew it on this one. If anyone should be giving an apology, it’s you Jesse.
–jason
February 12th, 2004 at 7:14 pm
kerz: You’re right, I should have come to you first, even though it was only a leak of article titles and not a compromise or leak of user information. I told jesus_X about the Firefox article because it surprised me, and I told him about the security hole when I did that. Luckily, he was trustworthy enough not to publish anything before the official name-change announcement.
In the future, I’ll be more careful with security holes I find in web sites. I won’t keep them a secret as long as I do with Mozilla security holes, but I will tell the site maintainer first.