High security flaw in the sync system?
Hi , I've met a very confusing security problem and a serious one , First of all let me give you my account details , username: *******@*mail.com , password: I can provide it for you if necessary , And knowing that I only use the sync system on my personal PC (laptop) which is considered as private one used by me only and well protected , and I assume what I'm saying. So one day I was in need to access the Internet on a public PC and as always I love Mozilla Firefox , and I've opened only facebook account , and filled a website form with my email account (the same as my sync username) , Please Notice I've not used the sync(no need to,and not stupid). Once finished I cleared my history and caches. And The enigma comes after two days if I remember correctly , I used a 3g data modem( the Operator was ATM MOBILIS) it was so urgent to me to connect my laptop to the internet,and once connection established , I opened Firefox and discovered that my sync account has been used by someone else and I've found saved passwords that aren't mine and history also, And the stranger part is that the Data (passwords & history) belongs to a person that lives in my city. I recognized him through his facebook photo , I can also Provide you with the Data I've found. I've passed a lot of time thinking of this issue and nothing comes clear yet , So I've decided to ask you to provide me with your helping and assistance , and if I've forget something please let me know.
Waiting for the reply.Thanks in advance.
deleted email address - we have no use for it, but web spiders can gather it for spam purposes
Gewysig op
All Replies (3)
Hi nasgeneration. I am sorry to hear that you are having this problem with Firefox sync.
I am currently checking with others to see if other people have reported a problem smiler to what you are experiencing. This will help us see if it is a inherent flaw in the sync system or if perhaps someone on the network at the public network captured some packets and was able to get your username and password.
Just wanted to let you know that we are looking into it.
If you want to get in contact with the Mozilla security group you can do so by going to this site: https://www.mozilla.org/security/bug-bounty/ Near the bottom of that site it has a link to report a bug (we will be doing that if we think that there is a problem with the sync system) it also has the email for the security group. If you do anything like that please let us know so we know what action is being taken.
HI asgeneration, Just wanted to let you know that the team is looking into this and I should have an update for you. The information above is a great way to have the security team look into it. I will be contacting the sync team in the meantime.
Hi nasgeneration,
I'm a developer on the Firefox Accounts team and am trying to dig into the issue here. I think it would be better to move the discussion to a security bug, which will make it easier to share any privacy-sensitive information from your perspective, and will also give us more time to respond appropriately if we do happen to uncover a security issue.
Please file a bug at the following URL:
https://bugzilla.mozilla.org/enter_bug.cgi?product=Mozilla%20Services
With the following details:
* "Server: Firefox Accounts" as the Component * my email ("rfkelly" at "mozilla.com") in the CC field * your report above as the description * tick the "security" checkbox where is says "Many users could be harmed by this security problem: it should be kept hidden from the public until it is resolved."
Then post the bug number here for reference.
(FWIW, I can't think of any potential security issues that would trigger this behaviour, based on your initial description above. But it's hard to speculate without asking a lot more detailed questions, which will be better done in the bug report.)