Entomology lessons —

Mozilla: data stolen from hacked bug database was used to attack Firefox

A privileged user's account was compromised at least as early as September 2014.

Bug tracking
Bug tracking

An attacker stole security-sensitive vulnerability information from the Mozilla's Bugzilla bug tracking system and probably used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

In an FAQ published (PDF) alongside Mozilla's blog post about the attack, the company added that the loss of information appeared to stem from a privileged user's compromised account. The user appeared to have re-used their Bugzilla account password on another website, which suffered a data breach. The attacker then allegedly gained access to the sensitive Bugzilla account and was able to “download security-sensitive information about flaws in Firefox and other Mozilla products.”

Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.

Of the ten unpatched bugs, the company believes that the attacker used one to exploit a Firefox vulnerability. Mozilla wrote about that vulnerability at the beginning of August, warning users that “an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.” The vulnerability was patched on August 6.

Mozilla said today that it did not have proof that the attacker who accessed the privileged Bugzilla user's account had exploited any other vulnerabilities.

The company added that it had “fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,” with a release of a new version of Firefox on August 27.

The software company noted that it had confirmed instances of unauthorized access to Bugzilla as early as September 2014, but it added that the attacker's ability to access the system could date back as far as September 2013. Mozilla didn't divulge when it discovered that there had been unauthorized access to Firefox's bug tracker, but it says that when it discovered the attack, it shut down the compromised account and contacted a third-party security firm to complete a forensic analysis.

”We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type,” Mozilla wrote on its blog. “As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication.”

The company added that it is also “reducing the number of users with privileged access and limiting what each privileged user can do.”

Channel Ars Technica