Hackers managed to access Mozilla’s Bugzilla repository of security vulnerabilities and steal sensitive information that enabled them to exploit at least one flaw that has now been patched, the Firefox maker has revealed.
Mozilla claimed the attacker had unauthorized access to Bugzilla since September 2014, although admitted “there are some indications” they may have been rooting around inside since September 2013.
The site is a treasure trove of secret information on flaws in Firefox and other Mozilla products which could be used by hackers to launch attacks on unprepared users.
The attacker had access to 185 non-public bugs in total, 53 of which were classed as severe – although 43 of these had already been patched.
As for the remaining 10, the attacker had a window of between seven and 335 days in which to exploit the bugs, depending on the flaw.
Mozilla continued:
“It is technically possible that any of these bugs could have been used to attack Firefox users in the vulnerability window. One of the bugs open less than 36 days was used for an attack using a vulnerability that was patched on August 6, 2015. Other than that attack, however, we do not have any data indicating that other bugs were exploited.”
The attacker apparently managed to gain entry to the private system by using the password of a privileged user which had been re-used on another site, which was subsequently breached.
The hacker then exploited that flaw to collect private data on Firefox users visiting a Russian news site, Mozilla claimed.
The vulnerability was patched on 6 August and the new version of Firefox, released on 27 August, “fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users.”
Mozilla has updated Bugzilla security, as explained in a blog post:
“As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.”