Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to disclosure of credentials through a Man-in-the-middle (MITM) attack as the connection is not encrypted.
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Alexander Kolesnik as the original reporter.
This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.