Mozilla Fixes Critical Flaws, Adds Have I Been Pwned Integration in Firefox
The latest version of Firefox includes a new feature that integrates Have I Been Pwned, a service by security expert Troy Hunt that alerts users if their credentials have been compromised.
Mozilla has released a set of security fixes for Firefox that includes patches for seven critical vulnerabilities, a handful of which can be exploited to run arbitrary code. The new version of the browser also includes a service that will allow users to see whether any of their online accounts have been compromised in data breaches.
The patches included in Firefox 61 cover a wide range of vulnerabilities, including a number of buffer overflows and use-after-free bugs. The most serious set of flaws comprises several memory safety vulnerabilities that Mozilla has grouped together in three separate sets. The bugs aren’t identified individually and Mozilla didn’t provide much in the way of detail on the vulnerabilities, aside from saying that they might lead to code execution.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla said in its advisory.
Firefox 61 also includes a new service called Monitor that integrates with Toy Hunt’s Have I Been Pwned service, which is a database of email addresses that have been included in known data breaches. Hunt maintains a massive database that right now includes more than 5 billion accounts that have been compromised in breaches. Mozilla partnered with Hunt to access his database through an API that anonymizes user inputs so that full email addresses aren’t sent to the HIBP database. The Monitor service hashes the user’s email address and then sends the first six characters to the API.
Have You Been Pwned: A Q&A with Troy Hunt
The service is just in the test phase right now and Mozilla plans to begin inviting Firefox users to try it out.
“We decided to address a growing need for account security by developing Firefox Monitor, a proposed security tool that is designed for everyone, but offers additional features for Firefox users. Visitors to the Firefox Monitor website will be able to check (by entering an email address) to see if their accounts were included in known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach,” Peter Dolanjski of Mozilla said.
“The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts. We are also considering a service to notify people when new breaches include their personal data.”
Hunt, a security researcher, said he was happy to see the HIBP service integrated with Firefox, as it instantly gives many more people a simple way to see if their accounts have been compromised.
“This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream,” Hunt wrote.