MozillaZine fixes information leak

Three hours before Firefox 0.8 was released, I found a security hole in Mozillazine: you could see the titles of unpublished articles (e.g. in the titlebar. Using this hole, I accidentally discovered the name change before the release. The hole has been fixed.

jesus_X informs me that long ago, MozillaZine let you see the full text of unpublished articles. I guess the original hole was partially fixed, leaving only the title of the article visible.

8 Responses to “MozillaZine fixes information leak”

  1. b Says:

    It’s good that the hole has been fixed. MozillaZine rarely gets information in advance (they only knew of the name because Kerz came up with it), but it could be damaging if any info they did have got out early.

    That said, if Jesus_X knew about this hole so long ago, why didn’t he inform anyone? So he could spy on MozillaZine, I guess.

  2. Jesse Ruderman Says:

    I don’t think jesus_X knew about the title leak until I told him about it.

  3. alanjstr Says:

    I’m sure they were notified in advance enough to change the forum names, just like djst was notified so he could update his website before it was slashdotted.

  4. Alex Bishop Says:

    Question: You’ve found a security hole in a website. What do you do?

    A. Tell the maintainers of the site.
    B. Tell their nearest competitor, allowing them to steal news.

    I knew that reading the headlines of unpublished articles was possible under certain circumstances but thought that no-one else knew about it. In any case, most of the future article headlines are hardly top secret. I did take precautions with some sensitive articles though. I thought Kerz knew about the hole. Seems he didn’t.

    This is the first I’ve ever heard of full articles being visible before publication.

    We were told in advance about the name change, as well as the release dates and times. Similar to when we were told about the new end user services launch or last year’s major Roadmap update. Completely dissimilar to when we weren’t told about the creation of the Mozilla Foundation. They’re quite good about supplying prerelease news now.

  5. jesus X Says:

    To “b”: As Jesse said in a reply, I didn’t know about the headline-in-titlebar hole until he told me, as I don’t have the same security-hole detection abilities as Jesse does. He finds them everywhere, with amazing speed. It’s one his his many talents. As for not notifying anyone, as Jesse said, this was LONG ago that there was a hole I knew of, and it had long since been fixed. I have no such interest in spying on MoZine, flat out. Please keep those kinds of guesses to yourself.

    To Alex: I don’t need to “steal” your news, nor did I. If you have problems with me, take it up with me, not in someone else’s blog comments. Jesse just happened to ask if I knew anything about the name change. He didn’t run to tell me of the bug. You only make yourself look bad when you try to insult myself and Jesse. You owe Jesse an apology.

  6. Alex Bishop Says:

    jesus_X: I wasn’t trying to insult anyone, just expressing my surprise that a member of the Mozilla security group’s first thought on finding a bug in a popular Mozilla news site was not to tell the site’s maintainers but to discuss the issue with a maintainer of a rival site.

    Maybe you don’t need to steal news. However, the fact remains that the Mozilla Foundation decided not to tell you about the name change for whatever reason, yet you still had an article ready in time for the midnight launch.

  7. Jason Says:

    “I don’t think jesus_X knew about the title leak until I told him about it.
    Posted by: Jesse Ruderman at February 11, 2004 09:36 AM “

    You posted that yourself. You told someone else about a security hole, before coming to me about it. For being an expert in security related issues, you sure blew it on this one. If anyone should be giving an apology, it’s you Jesse.


  8. Jesse Ruderman Says:

    kerz: You’re right, I should have come to you first, even though it was only a leak of article titles and not a compromise or leak of user information. I told jesus_X about the Firefox article because it surprised me, and I told him about the security hole when I did that. Luckily, he was trustworthy enough not to publish anything before the official name-change announcement.

    In the future, I’ll be more careful with security holes I find in web sites. I won’t keep them a secret as long as I do with Mozilla security holes, but I will tell the site maintainer first.