Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

Firefox Community Site Hacked 292

Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
This discussion has been archived. No new comments can be posted.

Firefox Community Site Hacked

Comments Filter:
  • by garcia ( 6573 ) * on Friday July 15, 2005 @02:54PM (#13076426)
    Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.

    It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.


    If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
    • In the very discusson about that exploit here on ./, several (highly upmoderated) posts were highlighting spreadfirefox as a popular user of that CMS.

      No patching even after being presented as an example for a vulnerable site is more than just neglectance.
    • Just because a patch comes out doesnt mean to jump on it immediately and patch the vulnerability. There must be testing first to make sure that this patch does not break anything important in running that site.

      A fatal mistake I see with some admins is that they run patches, service packs, support packs (for you Novell lovers out there) or any kind of fix without extensive testing. The only reason I would throw a patch on a system immediately is if that exploit is causing an immediate problem.

      Yeah t

  • I am *so* glad I use random passwords that are coordinated in a deeply-encrypted PGP file on an encrypted smartcard :_) for my spreadthefox.net password.
  • by Gothmolly ( 148874 ) on Friday July 15, 2005 @02:58PM (#13076474)
    Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
    • by John Seminal ( 698722 ) on Friday July 15, 2005 @03:08PM (#13076600) Journal
      Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.

      I never give real information to any websites. None. I have one spam email account that I use just for activating crap. I give them the wrong state, wrong everything. I don't want to even be included in accurate demographics. Why should I? I just know the information will be sold to some mega corporation. The "privacy statememnt" is not worth the paper it is printed on.

      I'll give one example. There was an awesome website with information for EVERY tv show ever on tv. They had episode information, forums, cast lists, everything. It was called TvTome. For 3 or 4 years, I was a memeber, I loved that website, I talked to lots of people about shows I loved. Then one day, a corporation comes by, and takes this hobby board, and offers the owner 5 million dollars to buy all his data, website, everything. All the people who registered at the old website had their information sold to the new corporation. The new website sucks. It is non-functional, nobody uses it. Do I want some large company buying my personal information? NO!!

      • I'm trying to answer this question for my own website right now. It's a program that lets you manage a dance studio, and I'm starting to design the registration page. I noticed that I instinctively starting adding first name, last name, address, fields, but then I realized, why do I care?

        So now I'm wondering, how can I design a registration page when all I require is a userID and password? Wouldn't that look weird as a registration page? Any advice?
        • I'm trying to answer this question for my own website right now. It's a program that lets you manage a dance studio, and I'm starting to design the registration page. I noticed that I instinctively starting adding first name, last name, address, fields, but then I realized, why do I care?

          So now I'm wondering, how can I design a registration page when all I require is a userID and password? Wouldn't that look weird as a registration page? Any advice?

          I think the #1 problem new websites will have is t

      • If you don't give real information to websites, that means you don't buy anything online. Personally I find online purchases useful and convenient. Your attitude is admirable but unfortunately it restricts you from taking full advantage from the web. I'm sure there are other legitimate applications that need real information.
      • I never give real information to any websites.

        Me neither, and it's a good thing, too. I've ordered tons of crap from that rip-off place amazon.com, and NONE of it has EVER arrived! It's a good think I didn't give them my real address... who knows what kind of scams they would pull if they could find my house.

    • This is such a critical point. If the information field is optional, I leave it blank by default. If it is required but I think it is not needed for the site to render the services that I want, then I give an obvious fake. If my home address becomes relevant, you can always give it later.
    • Especially when the site is Firefox- It seems to me that people who kack would get more notoriety and pleasure out of hacking a the site of a product a lot of techies love, rather than hacking, say, the local super market site.
      People who do this type of thing, ie commit a dime for notoriety and attention tend to pick not the most $$$ lucrative targets, but the ones their peers will notice the most...
      Sort of like stealing hubcaps from a police car- the hubcaps aren't any more valuable, but it gets you a bi
    • Well, as long as they couldn't hack past the browser, I guess they decided to go for the site all about the browser. Makes sense in a sick sort of way.
  • oh no (Score:5, Funny)

    by millahtime ( 710421 ) on Friday July 15, 2005 @02:59PM (#13076484) Homepage Journal
    that means they would know my password is password, my name is jo daddy and my email is anonymous124341234@hotmail.com. oh no.
  • by Szaman2 ( 716894 ) on Friday July 15, 2005 @02:59PM (#13076488) Homepage
    Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.
  • by appavi ( 679094 ) <saravanannkl.gmail@com> on Friday July 15, 2005 @03:00PM (#13076498)
    content of mail sent to all registered users of SpreadFirefox.com site

    From: admin@spreadfirefox.com
    Reply-To: admin@spreadfirefox.com
    To: announce@spreadfirefox.com
    Date: Jul 15, 2005 2:52 AM
    Subject: Spread Firefox outage and privacy breach notice

    On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.

    We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

    As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.

    We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.

    The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.


    Sincerely,
    The Mozilla Foundation
  • Welcome, Firefox (Score:4, Insightful)

    by Mr. Maestro ( 876173 ) * on Friday July 15, 2005 @03:00PM (#13076504)
    Firefox, I'd like to introduce you to "wide-spread" usage.
    Wide spread usage, this is firefox.
    (sarcastic comment overload)
    • Don't worry, the Apache Foundation already made the introductions.

      They're still waiting on meeting this mysterious Mr. Code Red, and his second cousin, Ms. Nimda.

      Dr. Slammer could not be reached for comment.
  • Mozilla Not At Risk! (Score:5, Informative)

    by CypherXero ( 798440 ) on Friday July 15, 2005 @03:00PM (#13076514) Homepage
    SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).

    Just clearing that up for people.
  • by JohnnyNoSPAM ( 815401 ) on Friday July 15, 2005 @03:02PM (#13076528)
    I am sure that there are some folks out there looking for something like this to blast open source enthusiasts and the like with a big "Ha! You no better than we are. Told you so!". Moreover, I am sure that there will be some who will somehow try to link this vulnerability exploit with the browser itself.

    As mentioned previously, it happens to the best of us, so we all need to be on top of keeping up with patches and installing them.

    • Or to run out the old line, "Forget about security fixes. Why did the developers write insecure, buggy code to start with?"
  • Spread Firefox (Score:3, Insightful)

    by Scoria ( 264473 ) <slashmail AT initialized DOT org> on Friday July 15, 2005 @03:02PM (#13076535) Homepage
    as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.

    That's precisely why you should always treat information submitted to a site like Spread Firefox as though it will be released to the public sometime in the future. If you aren't ready for everybody to have access to your home address, then simply don't release your home address.
  • ...The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.

    Lots of people probably use the same password for their email and websites such as SpreadFirefox. If any users use webmail and provided thei

    • I would have thought that SpreadFirefox would have used hashes and salt on their passwords, but apparently this isn't the case.

      If their software is remotely modern, then the user passwords are probably stored as "irrevocable" hashes. It wouldn't stop their attacker from sniffing the contents of an unencrypted HTTP POST during authentication, however, and that could be one reason Asa is advocating that users change their passwords.
    • Given enough time and computing power, even a salted password hash can be broken by brute force. Markus Hess did that with passwords scammed from Cliff Stoll's machine all the way back in 1986, as described in The Cuckoo's Egg; the laws of mathematics haven't changed since then.

      And it looks like the Mozilla Foundation realizes this, too, and are giving good advice.

    • How secure would a hashed password be, if it uses the user name and another key as the salt?

      For example, say my username is SoCalChris, and my password is 12345. When it hashes the password, it would hash "SoCalChris12345SomeRandomKey".

      Would that be more secure than just using a key, so that all password hashes use the same salt?

      I'm thinking that by using the username in the salt, it makes it impossible to do a brute force attack for all users at the same time, but would instead make it so that you
  • by WebHostingGuy ( 825421 ) * on Friday July 15, 2005 @03:03PM (#13076545) Homepage Journal
    When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.

    My guess it that the spammer didn't even know what site they hacked.
    • It's a bit early to suggest that it was an automated attack. While that is of course a possibility, there has been very little actual information from the SpreakFirefox people. Until they disclose far more information about this attack to the public (which may not happen if they are pursuing this matter via the authorities), it is a false reassurance to suggest that it was only automated and that no data was maliciously stolen.

  • Passwords? Doubt it (Score:5, Interesting)

    by RickPartin ( 892479 ) on Friday July 15, 2005 @03:05PM (#13076556) Homepage
    I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.
    • by oscarm ( 184497 )
      You're right but unless you're encrypting them in javascript before a form sends it to the server, passwords are making they're way from the browser to your server in plaintext (even over ssl - there its just the transport that's encrypted).

      From there, a truly malicious user could get them from database select statements (by turning on and looking at db logs, like mysql's query log), or changing your CMS's authentication code to also email the username/passwords during the authentication process to an ex
    • Well, a lot of us here have. Your UID is too high for you to remember, I think (but maybe you lurked here a really long time before registering, like I did), but Slashdot used to store our passwords in plain text. And Murphy's Law being what it is, Slashdot got rooted [slashdot.org], and everyone's logins were laid bare to the hacker (who was fortunately of the benevolent sort). It even happened once before that, two year earlier in 1998.

      Good times, eh?
    • *points to sig*

      If they wanted the passwords, they could get 'em :)
  • the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address

    No worries. All that means is some geek in a Dr. Doom custom might show up at other nerds' parents' home looking for the comic book convention being held in the basement.

  • "It doesn't look like the attacker accessed any personal data on the site, but to be safe, we're encouraging all of our users to log in and change their passwords."

    Why should I trust their competency now? They let their server be compromised by a very well-known, well-publicized, and fixed/patch-available vulnerability. How can I be sure that the operators of the attacked site are capable of properly analyzing the attack? I mean, if they can't even keep up to date with the latest patches, then how can the
  • I must have missed something here. In fact, I'm sure I have.

    If they broke in and the system was properly designed, shouldn't they have what amounts to an /etc/passwd file which they then have to crack? In other words, if you used strong passwords, you should be safer than if you used "Z1ON101" or "secret" as the password?

    Not that this by any stretch of the imagination implies that a "strong" password can't be cracked in this situation, just that it's more trouble.

    • Right, sites should never be storing cleartext passwords. You store the hash of the password and each time the user enters a password, you hash it and compare to the stored value.

      This way you never store the actual password on the server and it is nearly impossible recover the password. A quick test is, try the "forgot password" feature of a site. If it sends you back your cleartext password, you know the site is not safely handling logins.

      However once a site is hacked, the attacker can of course read any
  • I keep hearing about how products like PHP-Nuke, phpBB and now Drupal are quite vulnerable and easily cracked or exploited. Is this caused by inherent flaws within PHP, or is it because of improper installations? If it is because of improper installations, is that because it is extremely difficult or time consuming to properly secure a PHP installation?

    I have been considering moving some sites to a PHP-based system for some time now, but after hearing stuff like this I just don't know about PHP anymore.
    • The problem is insecure applications built on top of PHP, not PHP itself.
    • It's caused by poor programming practices and general laziness. The php language will only do what you allow it to do. If you accept any $_POST data that is thrown your way, without verifying the validity of the originating poster, you wreap what you sew.

      Database access is given through the php script, if you fail to double check the content being drawn, ( example: SELECT * FROM user_table, opposed to SELECT * FROM user_table WHERE id=blaat ), this is poor program security.

      A majority of the OpenSource php
  • Drupal requires security patching, shipped XML_RPC pear library in php vulnerable, phpBB open to spam hacks, phpnuke and derivs allow remote url inclusion for DDOS hackers :: pants as he sends out client update emails and applies patches::

    This is just another PHP growing pain. Sysadmins continue to watch the patches. Perl mongers.. "I told you so" is over rated...
  • Exploit they used:
    "I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night. If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible."
    http://www.knowprose.com/node/2866 [knowprose.com]

    Sample source code of the exploit:
    http://ww [milw0rm.com]
  • I really doubt that the passwords were ever vulnerable since SpreadFirefox runs on Drupal and I'm fairly certain that Drupal hashes them (MD5) before storing them in the database. Worst case then would be that people got the hashes and could hack them, but it's quite a chore for a fairly unimportant login (it's not like it's my banking data).

    Anyone else get creeped out when big commercial sites don't hash passwords (and can therefore recover them)?
  • by Teja ( 826685 ) on Friday July 15, 2005 @03:49PM (#13077011) Journal
    SpreadFirefox uses a variant to Drupal, named CivicSpace [civicspacelabs.org]. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.
  • I think this is the appropriate space (and time) to ask a question that I have not yet been able to figure out how to answer. I'm writing an application which needs to store usernames/passwords of various users but not to be authenticated into my application. Rather, that data is needed so that the program I am writing could check email on the behalf of these users. So essentially, there's a third system (let's call it GMail POP server) that needs to know the usernames/passwords that I stored for my users.
    • you could use a real encryption scheme but its not really worth it. If your app has the key to decode it then any attacker with access to the apps data dirs probablly can get the key rendering the encryption moot.

      any encryption scheme used would therefore be only for protecting against accidental viewing by admins it has no use against an attacker or against an admin that really wan'ts the password.
  • \Given that Spreadfirefox by its very mission had such sensitive information that could have been used to destroy so many users lives, it is deplorable that the admins were not more tight about security.\

  • notes on the breach (Score:3, Informative)

    by mykmelez ( 6506 ) <myk AT melez DOT com> on Friday July 15, 2005 @09:17PM (#13078993) Homepage

    I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:

    • Spread Firefox does not store plaintext passwords; it hashes them using MD5. So if the attackers have obtained the passwords, they cannot easily use them to gain access to user accounts. Nevertheless, since weak hashed passwords are susceptible to brute force attacks, there is some risk from the exposure, and that is why we recommended users change their passwords.
    • The attackers did indeed exploit the vulnerability in the XML-RPC for PHP library shipped with Drupal [securityfocus.com].

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...