The Mozilla Foundation recently acknowledged that a privileged user’s account in its Bugzilla bug tracking tool was breached, giving the attacker access to sensitive information about vulnerabilities in the Firefox browser and other Mozilla products for more than a year.
The breach, according to the Mozilla Foundation, was the unfortunate result of password reuse.
“The attacker acquired the password of a privileged Bugzilla user, who had access to security-sensitive information,” the Mozilla Foundation explained in a FAQ [PDF]. “Information uncovered in our investigation suggests that the user re-used their Bugzilla password with another website, and the password was revealed through a data breach at that site.”
The compromised account has been shut down, and an outside security firm was brought in to conduct a forensic analysis.
The earliest confirmed date of the attacker’s unauthorized access is September 2014, but there are indications that the attacker may have gained access as early as September 2013.
The attacker had access to 185 non-public bugs, 53 of which were severe vulnerabilities.
Forty-three of those bugs had already been fixed in the released version of Firefox by the time the attacker found out about them, but for the other 10 bugs, the attacker had a window of time before the bug was fixed in Firefox. In the three most severe cases, the attacker had windows of 131 days, 157 days and 335 days before the severe vulnerability in question was fixed.
“It is technically possible that any of these bugs could have been used to attack Firefox users in the vulnerability window,” the Mozilla Foundation stated. “One of the bugs open less than 36 days was used for an attack using a vulnerability that was patched on August 6, 2015. Other than that attack, however, we do not have any data indicating that other bugs were exploited.”
In the case of the vulnerability that was patched on August 6, 2015, an attack exploiting that vulnerability was used to collect private data from Firefox users who visited a news site in Russia.
In response to the breach, the Mozilla Foundation has reset all passwords for privileged users, and all privileged users will now be required to use two-factor authentication to access Bugzilla. The access that each Bugzilla user has is also being reduced in order to limit the amount of information that could be exposed by a future breach. Finally, the Mozilla Foundation is increasing the amount of auditing it does on privileged users’ actions in order to detect suspicious activity more efficiently.
“Openness, transparency, and security are all central to the Mozilla mission,” Firefox security lead Richard Barnes wrote in a blog post acknowledging the breach. “That’s why we publish security bugs once they’re no longer dangerous, and it’s why we’re writing a blog post about unauthorized access to our infrastructure. We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations.”
Recent eSecurity Planet articles have offered advice on enforcing password policies and improving password complexity without alienating users.