Hackers Exploit Stolen Firefox Bug InformationAttacker Breached Mozilla's Bugzilla Bug-Tracking Software in 2014, if not Before
Mozilla is warning that at least one year ago, an attacker infiltrated the repository that it uses to log bugs pertaining to its Firefox browser, began stealing information relating to unpatched vulnerabilities in Firefox and other Mozilla products, and actively targeted at least one unpatched flaw in Firefox for a period of at least three weeks. Officials at the free-software community say they have also alerted law enforcement to the theft, and say they have taken steps to improve their internal security practices, to help block such attacks in the future.
"Someone was able to steal security-sensitive information from Bugzilla," says Richard Barnes, who works in the security and privacy engineering team at Mozilla, in a Sept. 4 blog post. "We believe they used that information to attack Firefox users."
About 22 percent of all browsers seen in the wild are Firefox, according to recently released statistics from Web developer site W3Schools.
The zero-day Firefox vulnerability was stolen from Mozilla's instance of Bugzilla, which is a widely used, open source system for tracking software-level defects, or bugs. The system is designed to track bugs and changes in code, allow developers to communicate with each other, facilitate the submission and review of patches and manage the overall quality assurance process.
One of the users of Bugzilla is Mozilla, and it was this instance of the bug-tracking software the attacker breached - rather than exploiting some flaw in the Bugzilla platform itself - and apparently no advanced attack was needed to compromise Mozilla's Bugzilla instance. "Information uncovered in our investigation suggests that the user reused their Bugzilla password with another website, and the password was revealed through a data breach at that site," according to a breach FAQ published by Mozilla (see Why Are We So Stupid About Passwords?).
To everyone linking or RTing, Bugzilla was not breached. Mozilla's single installation of Bugzilla was. BIG difference...— Security Errata (@securityerrata) September 4, 2015
Many information security experts have questioned why Mozilla was not using two-factor authentication, which would have mitigated the threat posed by users who reused passwords.
Attack Targeted Firefox PDF Viewer
Mozilla says the stolen bug information was used to target Firefox users, per an alert that it issued in August, warning that an active attack had been found that was stealing information from some systems on which Firefox was installed. "An advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine," Daniel Veditz, the security lead at Mozilla, warned in an Aug. 6 blog post, saying that Windows, Mac OS X and Linux systems were all being targeted.
August Attack Tied To 2014 Bugzilla Breach
Mozilla now says that that attack was enabled by the attacker gaining access to the a user account for Mozilla's Bugzilla instance, which had access to information about Firefox security bugs. But Mozilla says it believes that the attacker only targeted one of the bugs, which it patched with the August 27 version of Firefox.
"The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised," Barnes says. "We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6. We have no indication that any other information obtained by the attacker has been used against Firefox users." As of the version of Firefox released on August 27, all of the vulnerabilities that the attacker learned about and could have targeted were patched. Needless to say, Mozilla recommends that anyone who is running an older version of Firefox upgrade it immediately.
In the wake of the breach, Mozilla says that it reset the passwords for all of its Bugzilla users who have access to security-sensitive information, and now allows users to employ two-factor authentication to access the system, which will become compulsory later this month. "We are reducing the number of users with privileged access and limiting what each privileged user can do," Barnes says. "In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in."