Hacker News new | ask | show | jobs
by jvehent 4336 days ago
A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down.

MDN has been using persona for a while now, meaning that most accounts don't have passwords in the database. But older accounts still had the SHA256 salted hash that Django creates.

We traced back as much as we could. Access logs, netflow data, etc... We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it.
1 comments
Pacabel 4335 days ago
Who exactly are these "known contributors", and why did they have access to this data? Why did they not report the problem earlier?

And if it was downloaded "mostly" by "known contributors", who was involved with the rest of the detected downloads?

link
jeffbryner 4335 days ago
https://bugzilla.mozilla.org/show_bug.cgi?id=932869 was the request for a sanitized DB for folks wanting to develop MDN itself. We could identify most of the handful of IPs that downloaded the file during the time period where it was unsanitized to individuals (i.e. IPs inside Mozilla offices, etc.). However because some IPs were unknown, or public, or potential NAT addresses Mozilla decided it was best to disclose the issue.
link
Pacabel 4335 days ago
If some of the accesses were by people or systems within Mozilla, can you please address why a month went by before the problem was noticed?

If there was enough need to justify putting forth the effort required to export a sanitized version of these data for developers to use, then why didn't these users notice that something was wrong much sooner? And if they did notice, why weren't the appropriate parties within Mozilla notified sooner?

Could you please provide more specific details about these IP addresses that couldn't be accounted for, too? Perhaps a list of them, for instance? At least then affected users will be able to make their own call regarding their level of risk due to this incident.

link
jeffbryner 4335 days ago
Sorry, I can't provide a list.
link
Pacabel 4335 days ago
Why not?
link
ygjb 4335 days ago
Because our privacy policies state that we won't disclose personally identifiable information about users, and IP addresses can be personally identifiable.

Unfortunately security incidents happen, but we won't violate the commitments we have made to our users; in this case, if we revealed the IP addresses we would have another, deliberate information leak on our hands.

link