Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Security

Bugzilla Breached, Private Vulnerability Data Stolen 97

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."
This discussion has been archived. No new comments can be posted.

Bugzilla Breached, Private Vulnerability Data Stolen

Comments Filter:
  • Haha. (Score:3, Insightful)

    by Anonymous Coward on Friday September 04, 2015 @03:59PM (#50459441)
    You just can't make this stuff up.

    I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.
    • Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

      • Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

        There is a rumor that the hack was from a couple personal residences
        commuting distance from NATIONAL SECURITY AGENCY (NSA) HEADQUARTERS.

        But that could be someone pulling yer leg.

        It does tell me that layers of authentication and security for
        companies and agencies very much needs attention.

        We have an Email server that apparently contained email
        at multiple levels. We have Snowden sitting at a desk able to
        take screen shots of anything he cared to. We have hacks
        of federal personnel files, Target and more...

        S

    • by Anonymous Coward

      Indeed. I worked for software 'security' startup with security certifications and security is the least important priority. They have documented procedures that are demanded by the customers and they exist purely for show.
      Some examples are:
      - Most developers have full read/write access to customer data and many modify it without telling anyone (procedures require tickets).
      - Vulnerabilities such as XSS are ignored by developers and we have to notify customers within 30 days by contract. Upper management order

  • by Bill Hayden ( 649193 ) on Friday September 04, 2015 @04:09PM (#50459481) Homepage

    The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      What this says to me

      I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.

      It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.

      It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, cru

    • by Anonymous Coward on Friday September 04, 2015 @04:37PM (#50459585)

      Absolutely true.

      There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.

      Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.

    • by Anonymous Coward

      After reading the article it seems like they held up on those last 10 severe vulnerabilities due to potential regressions.

    • by davidwr ( 791652 ) on Friday September 04, 2015 @05:33PM (#50459853) Homepage Journal

      The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them

      A better way of saying what really happened:

      ... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

    • by radarskiy ( 2874255 ) on Friday September 04, 2015 @05:51PM (#50459973)

      "it makes vendors lazy about fixing them"

      You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

      • by DNS-and-BIND ( 461968 ) on Saturday September 05, 2015 @04:29AM (#50461527) Homepage
        Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.
      • "it makes vendors lazy about fixing them"

        You cannot say this without knowing what they were doing instead of fixing these particular bugs.

        we do know, they SAT ON THEM

      • by amorsen ( 7485 )

        They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

        They made the assumption that undisclosed bugs are unknown to blackhats. As the breach shows, that is a pretty bad assumption.

        Basing importance on the disclosure status is a horrible policy, and the only effective antidote is immediate full disclosure without grace period.

  • by Da w00t ( 1789 ) on Friday September 04, 2015 @04:21PM (#50459521) Homepage
    Please update the article title, JFC.
  • by 93 Escort Wagon ( 326346 ) on Friday September 04, 2015 @04:38PM (#50459593)

    Perhaps Mozilla discovered this long ago, but have spent all this time trying to ascertain the political opinions held by the attacker?

  • I'm beginning to hate computers with a passion.
    • Why? Computers only do what the programmers tell them to. What exactly do you hate about them?

    • by antdude ( 79039 )

      Same here. I used to love computers, but these days I care not for them. Looking at the recent and newer stuff don't excite me anymore like those mobile, GUI, so many bugs, lack of support, security, so many updates, etc. Maybe it is my old age. :(

  • Nomen est Omen.

  • by SeaFox ( 739806 ) on Friday September 04, 2015 @05:01PM (#50459707)

    Gee Mozilla. Better get to work fixing those 185 vulnerabilities now, instead of sitting on them while you work on copying Chrome's look and feel or think of new unrelated tech ventures to get involved in.

    • by 0123456 ( 636235 )

      Fixing bugs is boring. Particularly when you're an SJW who wants to Save The World.

    • Apparently most of the have been fixed a long time ago, the rationale behind the 185 number is that the account was compromised back in September 2013 and according to the user history he had looked at 185 bugs during that time frame.
    • by Lennie ( 16154 )

      Do you really believe you can easily find developers that are really good at security code auditing and fixing security issues or use other developers and let them fix these security issues. I don't think these things are related.

      • by SeaFox ( 739806 )

        Firefox isn't one of those volunteer-staffed community projects. It has a large non-profit with paid developers backing it. Given all the people that use Firefox on a day-to-day basis to carry out sensitive health and financial-related tasks online, is it wrong to think Mozilla should hire a security-focused developer into the fold?

  • ...this kind of thing will happen. Hopefully they're competent enough to fix it.

  • In completely unrelated news their bank account was also breached when a literal ton of money was deposited by Five Eyes.

Like punning, programming is a play on words.

Working...