<div dir="ltr"><div dir="ltr"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" id="gmail-docs-internal-guid-341bd80e-7fff-3253-ce94-92ab0ea395ee"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If you </span><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">have ever run FxA servers</span><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">, please read on. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Several FxA servers depended on a version of </span><a href="https://github.com/dominictarr/event-stream/issues/116" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">flatmap-stream that was taken over by an attacker</span></a><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> and corrupted to steal bitcoin wallets. These repos include:</span></p><br><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-local-dev" style="text-decoration-line:none"><span style="font-size:11pt;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">fxa-local-dev</span></a><span style="font-size:11pt;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> [1]</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-oauth-server/" style="text-decoration-line:none"><span style="font-size:11pt;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">fxa-oauth-server</span></a><span style="font-size:11pt;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> [2] (pre-Oct 24th)</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-auth-server/" style="text-decoration-line:none"><span style="font-size:11pt;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">fxa-auth-server</span></a><span style="font-size:11pt;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> [3] (post-Oct 24th</span><span style="font-size:11pt;color:rgb(17,85,204);background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">)</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-basket-proxy/" style="text-decoration-line:none"><span style="font-size:11pt;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">fxa-basket-proxy</span></a><span style="font-size:11pt;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> [4]</span></p></li></ul><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If you run any of these servers, </span><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">please stop them now and update to the latest versions.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Each repo can be updated by entering their directory and typing:</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> git checkout -- .</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> git pull</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> npm install</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">For fxa-local-dev, type:</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> git checkout -- .</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> git pull</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> npm install</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Verdana;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">> ./scripts/update_all.sh</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Our current information is that the malicious package was designed to steal bitcoin wallets. If you are running a bitcoin wallet app on the same machine as FxA, check your wallet.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Again, this is only necessary if you run any of [1][2][3][4] locally. The Mozilla-hosted Firefox Accounts servers are not affected, and if the Mozilla-hosted servers are the only ones you use, you are not at risk.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If you have questions, please email </span><span style="font-size:11pt;font-family:Arial;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><a href="mailto:infosec@mozilla.com">infosec@mozilla.com</a></span><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">, or visit the #security channel in IRC or Slack.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Thanks,</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Shane</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[1] - </span><a href="https://github.com/mozilla/fxa-local-dev" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-local-dev</span></a></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[2] - </span><a href="https://github.com/mozilla/fxa-oauth-server/" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-oauth-server/</span></a></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[3] - </span><a href="https://github.com/mozilla/fxa-auth-server/" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-auth-server/</span></a></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[4] - </span><a href="https://github.com/mozilla/fxa-basket-proxy/" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-basket-proxy/</span></a></p></div></div>