The secure webpage hosting addons for Mozilla Firefox was targeted in the same attack that minted a fraudulent authentication credential for Google websites, the maker of the open-source browser said.
"DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," Johnathan Nightingale, Mozilla's director of Firefox development, wrote in a statement. "In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users."
Nightingale didn't say how many Mozilla certificates were issued and if they were actively used to intercept the communications of people accessing the address. The site hosts hundreds of thousands of addons that give the Thunderbird and Firefox programs powerful functions not included by default.
On Tuesday, Google said a bogus secure sockets layer certificate issued by Dutch firm DigiNotar was used to spy on people located in Iran while visiting Gmail. Counterfeit credentials for “a number of domains” were minted following a security breach on its systems, DigiNotar has said.
Mozilla's confirmation came a few hours after a Dutch news service reported (English translation here) that the DigiNotar breach affected Mozilla and at least four other organizations. Fraudulent certificates for Yahoo.com, the Tor Project, WordPress and the Baladin blogging service in Iran were also generated, the service said without citing any source for that information.
Representatives from Yahoo, the Tor Project, and WordPress didn't immediately respond to inquiries seeking confirmation.
The breach of DigiNotar gave the attackers the digital credentials needed to host spoofs of virtually any Google property that were almost indistinguishable to people using networks controlled by the hackers. The fraudulent certificate showed it was issued on July 10, but it came to light only on Monday. Google hasn't said how long the counterfeit certificate was actively being used in the wild.
An update to Google's open-source Chromium browser published Tuesday appeared to blacklist 247 certificates issued by DigiNotar, suggesting the breach may have been more widespread than previously believed. The certificate authority, which is owned by Vasco Data Security, an Oakbrook Terrace, Illinois-based provider of two-factor authentication products, has declined to quantify the extent of the attack, except to say it affected “a number of domains” including Google's.
Both Google and Microsoft have declined to say how many DigiNotar certificates they plan to blacklist in their software. Representatives from Mozilla have yet to respond to inquiries.
The possibility that other sensitive websites were also targeted only adds to the uncertainty about how widespread the attack was felt. ®
This story was updated to add comment from Johnathan Nightingale and details about the potential number of fraudulent certificates issued.