Mozilla, creator of the open-source Firefox browser and Thunderbird email client, has confessed to a breach in its bug-tracking system which saw ne'er-do-wells make off with zero-day vulnerabilities.
Like most open-source software projects, Mozilla does most of its development in plain sight. Its bug-tracking system, Bugzilla
, allows users to submit issues with the software while the devs can communicate their resolutions straight back. Anyone experiencing an issue is free to search the database, but there's a class of flaw that is hidden from public view: security vulnerabilities. Because knowledge of these vulnerabilities before they are patched could lead to attacks against Mozilla's users, these are kept private until a patch is developed and rolled out - a process known in security circles as responsible disclosure.
Unfortunately, some very irresponsible parties have obtained access to these private bug reports - and, in doing so, ended up with a cache of zero-day vulnerabilities which can be, and are being, exploited in the wild to attack end-users. 'Someone was able to steal security-sensitive information from Bugzilla. We believe they used that information to attack Firefox users,
' explained Mozilla's Richard Barnes in a blog post
announcing the attack.
While the flaws have been patched, the attacker is believed to have had access to the system since at least 2014, and potentially as early as 2013, before the breach was discovered. 'The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,
' claimed Barnes. 'We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6. We have no indication that any other information obtained by the attacker has been used against Firefox users.
As a result of the attack, Barnes explaiined, Mozilla is beefing-up its security measures. Changes include enforced two-factor authentication (2FA) for all security-privileged users, and a reduction in the overall number of users who have access to security-related information. 'In other words,
' explained Barnes, 'we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.