search

mozilla / blurts-server

Mozilla Monitor arms you with tools to keep your personal information safe. Find out what hackers already know about you and learn how to stay a step ahead of them.
https://monitor.mozilla.org
Mozilla Public License 2.0
710 stars 203 forks source link

GET https://monitor.firefox.com/img/logos/MailRu.svg 404 (Not Found) #234

Closed pdehaan closed 6 years ago

pdehaan commented 6 years ago

via Devtools console when searching https://monitor.firefox.com/scan for "test@example.com".

Oddly, it looks like the file is there, but possibly a case sensitivity issue:

$ ls public/img/logos/Mail*.svg
# public/img/logos/MailRU.svg
$ jq '.[] | select(.Name=="MailRu")' src/breaches.json

{
  "Title": "mail.ru Dump",
  "Name": "MailRu",
  "Domain": "mail.ru",
  "BreachDate": "2014-09-10",
  "AddedDate": "2014-09-12T04:50:22Z",
  "ModifiedDate": "2018-01-09T03:38:56Z",
  "PwnCount": 16630988,
  "Description": "In September 2014, several large dumps of user accounts appeared on the <a href=\"https://forum.btcsec.com/\" target=\"_blank\" rel=\"noopener\">Russian Bitcoin Security Forum</a> including one with nearly 5M email addresses and passwords, predominantly on the mail.ru domain. Whilst <a href=\"http://globalvoicesonline.org/2014/09/10/russia-email-yandex-mailru-passwords-hacking/\" target=\"_blank\" rel=\"noopener\">unlikely to be the result of a direct attack against mail.ru</a>, the credentials were confirmed by many as legitimate for other services they had subscribed to. Further data allegedly valid for mail.ru and containing email addresses and plain text passwords was added in January 2018 bringing to total to more than 16M records. The incident was also then flagged as &quot;unverified&quot;, a concept that was <a href=\"https://www.troyhunt.com/introducing-unverified-breaches-to-have-i-been-pwned/\" target=\"_blank\" rel=\"noopener\">introduced after the initial data load in 2014</a>.",
  "DataClasses": [
    "Email addresses",
    "Passwords"
  ],
  "IsVerified": false,
  "IsFabricated": false,
  "IsSensitive": false,
  "IsActive": true,
  "IsRetired": false,
  "IsSpamList": false,
  "LogoType": "svg"
}

And here's the latest breach data from HIBP:

$ curl https://haveibeenpwned.com/api/v2/breaches | jq '.[] | select(.Name=="MailRu")'

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  262k    0  262k    0     0  1221k      0 --:--:-- --:--:-- --:--:-- 1220k

{
  "Title": "mail.ru Dump",
  "Name": "MailRu",
  "Domain": "mail.ru",
  "BreachDate": "2014-09-10",
  "AddedDate": "2014-09-12T04:50:22Z",
  "ModifiedDate": "2018-01-09T03:38:56Z",
  "PwnCount": 16630988,
  "Description": "In September 2014, several large dumps of user accounts appeared on the <a href=\"https://forum.btcsec.com/\" target=\"_blank\" rel=\"noopener\">Russian Bitcoin Security Forum</a> including one with nearly 5M email addresses and passwords, predominantly on the mail.ru domain. Whilst <a href=\"http://globalvoicesonline.org/2014/09/10/russia-email-yandex-mailru-passwords-hacking/\" target=\"_blank\" rel=\"noopener\">unlikely to be the result of a direct attack against mail.ru</a>, the credentials were confirmed by many as legitimate for other services they had subscribed to. Further data allegedly valid for mail.ru and containing email addresses and plain text passwords was added in January 2018 bringing to total to more than 16M records. The incident was also then flagged as &quot;unverified&quot;, a concept that was <a href=\"https://www.troyhunt.com/introducing-unverified-breaches-to-have-i-been-pwned/\" target=\"_blank\" rel=\"noopener\">introduced after the initial data load in 2014</a>.",
  "DataClasses": [
    "Email addresses",
    "Passwords"
  ],
  "IsVerified": false,
  "IsFabricated": false,
  "IsSensitive": false,
  "IsActive": true,
  "IsRetired": false,
  "IsSpamList": false,
  "LogoType": "svg"
}
pdehaan commented 6 years ago

I'm semi-confused... Looks like the blurts-addon uses "MailRu.svg" but the blurts-server uses "MailRU.svg".

mozilla/blurts-addon ./src/PwnedLogos/MailRu.svg

versus

mozilla/blurts-server ./public/img/logos/MailRU.svg

monitor-mail-ru-1

Figure 1: https://monitor.firefox.com/?breach=MailRu

versus

monitor-mail-ru-2

Figure 2: https://monitor.firefox.com/?breach=MailRU

pdehaan commented 6 years ago

Since the blurts-addon repo has a ./package.json file (and a breaches.json file and all the embedded logos, etc), I'm really starting to wonder if we should just mark the add-on as a dependency of the blurts-server and then have some postinstall script which copies over all the assets from the ./node_modules/blurts-addon/ folder.

pdehaan commented 6 years ago

I think this is the only offending file... I did an $ npm i mozilla/blurts-addon mozilla/blurts-server in a dummy project and apart from the one logo, the files seem in sync:

const fs = require("fs");

const addonLogos = fs.readdirSync("./node_modules/blurts-addon/src/PwnedLogos/")
  .filter(file => !file.startsWith("."));
const serverLogos = fs.readdirSync("./node_modules/blurts-server/public/img/logos/")
  .filter(file => !file.startsWith("."));

const addonNotServer = addonLogos.filter(logo => !serverLogos.includes(logo));
console.log("Add-on, but not Server:", addonNotServer);

const serverNotAddon = serverLogos.filter(logo => !addonLogos.includes(logo));
console.log("Server, but not Add-on:", serverNotAddon);

/* OUTPUT:
Add-on, but not Server: [ 'MailRu.svg' ]
Server, but not Add-on: [ 'MailRU.svg' ]
*/
groovecoder commented 6 years ago

Fixed on https://fx-breach-alerts.herokuapp.com/?breach=MailRu