Pierluigi Paganini September 05, 2015

Mozilla said that data stolen from its bug tracking system was used to attack Firefox users in the wild, but attackers probably have had access since 2013.

A threat actor that stole sensitive vulnerability information from the Mozilla’s Bugzilla bug tracking system last year has likely used it to target Firefox users.

Mozilla explained that it did not have proof that the attacker who accessed the privileged Bugzilla tracking system had exploited any other vulnerabilities in the wild.

The Mozilla Foundation admitted on Friday that a privileged account on Firefox’s Bugzilla bug-tracking software has been compromised by unknown hackers since at least September 2014.

The news was reported by the Filezilla organization on Friday. Let’s step back, in September experts at Security firm Check Point Software Technologies discovered a zero-day in Bugzilla bug-tracking tool that allowed anyone to view detailed reports about unfixed vulnerabilities in a wide range of vulnerability repositories.

Firefox Foundation revealed that hackers may have used the same flaw to acquire knowledge about unpublicized and unpatched critical security vulnerability in the Firefox browser for a year or more.

The Mozilla Foundation published a FAQ page and a blog post to provide further details on the attack.

“Bugzilla restricts access to security­ sensitive information so that only certain privileged users can access it. An attacker was able to break into a privileged user’s account and download security­ sensitive information about flaws in Firefox and other Mozilla products.” states the FAQ page.

The company confirmed that the data breach appeared to stem from a privileged user’s account that has been compromised by the intruders.

How did the attacker gain access?

According to The Mozilla Foundation it is likely the targeted account has shared the Bugzilla credentials with another website that has been compromised.

The attacker allegedly used to gain access to the sensitive Bugzilla account and was able to “download security-sensitive information about flaws in Firefox and other Mozilla products.”

Mozilla added that the threat actor accessed 185 undisclosed Firefox vulnerabilities, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were still unpatched at the time of the unauthorized access.

“Overall, the attacker accessed 185 non­public bugs, distributed as follows: 110 bugs Protected for reasons other than software security (e.g., proprietary information) 22 bugs Minor security issues (sec­low or sec­moderate) 53 bugs Severe vulnerabilities (sec­high or sec­critical)” continues Mozilla. The company has “fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,” 

In August, Mozilla warned users that “an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.” The organization promptly patched the flaw on August 6.

The company revealed that that the unauthorized access the system could date back as far as September 2013. When discovered the access, Mozilla shut down the compromised account and hires a third-party security firm to conduct further forensic analysis.

Mozilla confirmed the adoption of new security measures to improve the security of its systems.

“We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type,” Mozilla’s Richard Barnes wrote in a blog post on Friday. “As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication,” 

Mozilla also said it is “reducing the number of users with privileged access and limiting what each privileged user can do.”

Pierluigi Paganini

(Security Affairs – Mozilla, hacking)