Hacker Stole Cyberweapon from Mozilla’s Bug-fixing Website
Technology // Web Services
More than 50 critical security vulnerabilities in the Bugzilla database were copied and at least one was used to penetrate Firefox users’ computers.
Bugzilla allows Mozilla developers to record vulnerabilities they discover and discuss potential fixes.
“Entries on critical bugs are blocked to all but privileged accounts long after a fix has been released to ensure that the bulk of Firefox users have installed the patch,” according to Computerworld.
An attacker was able to break into one of these privileged accounts and download security-sensitive information about flaws in Firefox and other Mozilla products, Mozilla disclosed Sept. 4 (FAQ and company blog post).
It seems the legitimate account holder used the same password for Bugzilla and an outside website. The attacker breached the second site and was able to score the double-duty password.
Mozilla patched the hole that the hacker used to attack Firefox users on Aug. 6, after reports surfaced that a Russian news site was serving a Firefox exploit that searched for sensitive files and uploaded them to a server in Ukraine.
The FAQ spells out in detail Mozilla's take on the timeline of the breach and its impact.
The hacker broke into the privileged Bugzilla account at least as early as September 2014, with some indications that access was obtained a year before that.
Mozilla says 43 of the security vulnerabilities had been patched by the time the hacker gained access to Bugzilla. Three of the remaining 10, however, were open -- meaning a patch had not yet been issued -- for between 131 and 335 days.
The Bugzilla entry for the vulnerability used by the thief was open for 36 days, Mozilla said.