Bugzilla Breached, Private Vulnerability Data Stolen

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

Haha.

[Anonymous Coward]

You just can't make this stuff up.

I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.

Re: Haha.

[shonangreg]

I know you geeks can be "eccentric", but I don't think you can pick up girls by claiming the way to fix this is to jog nude.

Re:

[Anonymous Coward]

Bugzilla is an especially bad piece of software. I had to use it for years.

Here's the proof:
https://bugzilla.mozilla.org/show_bug.cgi?id=540

This bug was open since 1999 and survived a complete rewrite of bugzilla in a another language. Nice read if you have the time.

How someone could still use this piece of crap is beyond me. Especially Mozilla.

Re:

[Gerv]

The bug is unfixed for philosophical reasons, not because it's hard to fix. The Bugzilla developers feel history should be immutable.

And there has been no rewrite into another language since that bug was filed; Bugzilla as released by Mozilla has always been in Perl.

Gerv

Re:

[Gerv]

There was no issue with the Bugzilla software here; the problem was that a user reused their password on another site, which suffered a breach.

Gerv

If they would FIX bugs, this would not happen

[swschrad]

Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

Re:

[niftymitch]

Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

There is a rumor that the hack was from a couple personal residences
commuting distance from NATIONAL SECURITY AGENCY (NSA) HEADQUARTERS.

But that could be someone pulling yer leg.

It does tell me that layers of authentication and security for
companies and agencies very much needs attention.

We have an Email server that apparently contained email
at multiple levels. We have Snowden sitting at a desk able to
take screen shots of anything he cared to. We have hacks
of federal personnel files, Target and more...

S

Re:

[Anonymous Coward]

Indeed. I worked for software 'security' startup with security certifications and security is the least important priority. They have documented procedures that are demanded by the customers and they exist purely for show.
Some examples are:
- Most developers have full read/write access to customer data and many modify it without telling anyone (procedures require tickets).
- Vulnerabilities such as XSS are ignored by developers and we have to notify customers within 30 days by contract. Upper management order

Re:Chrome

[Anonymous Coward]

Just one more reason to use Chrome. Firefox hasn't offered anything in years that Chrome doesn't do and does better, and since it's free and open source there's really no reason at all to stick with a legacy browsers.

Chromium is open source. Chrome is not.

Re:

[amorsen]

The Fedora build of Firefox is certainly built from source. It is still called Firefox.

Fedora is discussing whether it is feasible to continue with Firefox-branded Firefox due to the new signed-addon policy. But for now, you can certainly get your open source Firefox fix that way.

Re:

[Gerv]

The code for the DRM module Firefox uses is not part of the Firefox build system, but is downloaded at runtime. This can be done whether it's a Firefox built by Mozilla or not. So the DRM question has no bearing on whether you can call your version Firefox or not.

This series of blog posts: http://blog.gerv.net/2010/01/p... [gerv.net] explains why Mozilla doesn't let just anyone call their modified version "Firefox".

Gerv

Re:

[Lennie]

And without Firefox lots of things Chrome/Chromium/Opera doesn't get to be standards.

Because it's Firefox (gecko) and Chrome/Chromium/Opera (blink) are ahead of the pack. You need at least 2 browser (engine) implementations to make a standard.

I would prefer multiple open source implementations and standards and not just a single open source implementation.

Standards is the only way how we can get rid of things like Flash.

Interesting Data Point

[Bill Hayden]

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

Re:

[Anonymous Coward]

What this says to me

I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.

It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.

It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, cru

Re:Interesting Data Point

[Anonymous Coward]

Absolutely true.

There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.

Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.

Re:

[ioErr]

Most likely referring to this bug or one of its duplicates: https://bugzilla.mozilla.org/s... [mozilla.org]

Re:

[Anonymous Coward]

After reading the article it seems like they held up on those last 10 severe vulnerabilities due to potential regressions.

Flip side: Higher priority bugs remain unfixed

[davidwr]

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them

A better way of saying what really happened:

... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

Re:Interesting Data Point

[radarskiy]

"it makes vendors lazy about fixing them"

You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

Re:Interesting Data Point

[DNS-and-BIND]

Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.

Re:

[citizenr]

"it makes vendors lazy about fixing them"

You cannot say this without knowing what they were doing instead of fixing these particular bugs.

we do know, they SAT ON THEM

Re:

[amorsen]

They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

They made the assumption that undisclosed bugs are unknown to blackhats. As the breach shows, that is a pretty bad assumption.

Basing importance on the disclosure status is a horrible policy, and the only effective antidote is immediate full disclosure without grace period.

*Mozilla* Bugzilla breached. Not all bugzillas

[Da w00t]

Please update the article title, JFC.

Re:Lol

[bob_super]

Noscript + adblock + ghostery + gestures + faviconizetab + tabmixplus + Not_from_Google + Not_from_Apple + Not_from_MS + ...

Noticeably absent is WHEN this happened

[93 Escort Wagon]

Perhaps Mozilla discovered this long ago, but have spent all this time trying to ascertain the political opinions held by the attacker?

Re:

[nickweller]

"The earliest confirmed instance of unauthorized access dates to September 2014" ref [netdna-ssl.com]

I hate computers

[AndyKron]

I'm beginning to hate computers with a passion.

Re:

[amicusNYCL]

Why? Computers only do what the programmers tell them to. What exactly do you hate about them?

Re:

[antdude]

Same here. It amazes me how easy they break in software and hardware. They're getting too complex. I prefer older stuff that just work well. :/

Re:

[antdude]

Same here. I used to love computers, but these days I care not for them. Looking at the recent and newer stuff don't excite me anymore like those mobile, GUI, so many bugs, lack of support, security, so many updates, etc. Maybe it is my old age. :(

Bugzilla

[allo]

Nomen est Omen.

A return to priorities?

[SeaFox]

Gee Mozilla. Better get to work fixing those 185 vulnerabilities now, instead of sitting on them while you work on copying Chrome's look and feel or think of new unrelated tech ventures to get involved in.

Re:

[0123456]

Fixing bugs is boring. Particularly when you're an SJW who wants to Save The World.

Re:

[tajribah]

The single fact that there was a high-security bug unfixed for at least 335 days (as admitted by Mozilla's FAQ) tells that there was something very seriously wrong in Mozilla's handling of security vulnerabilities. That is the reality and it should be passed around.

Re:

[tajribah]

I accept that some security bugs can be hard to fix. Still, it gives a clear message about the values held by the organization if copying Chrome's UI has higher priority than fixing security bugs.

Re:

[tajribah]

Well, yes and no... Within a year, almost anybody can learn to fix a garbage collector.

Re:

[F.Ultra]

Apparently most of the have been fixed a long time ago, the rationale behind the 185 number is that the account was compromised back in September 2013 and according to the user history he had looked at 185 bugs during that time frame.

Re:

[Lennie]

Do you really believe you can easily find developers that are really good at security code auditing and fixing security issues or use other developers and let them fix these security issues. I don't think these things are related.

Re:

[SeaFox]

Firefox isn't one of those volunteer-staffed community projects. It has a large non-profit with paid developers backing it. Given all the people that use Firefox on a day-to-day basis to carry out sensitive health and financial-related tasks online, is it wrong to think Mozilla should hire a security-focused developer into the fold?

And tonight, somewhere, an NSA agent ...

[davidwr]

... is crying.

When SJW diversity trumps competency...

[sethstorm]

...this kind of thing will happen. Hopefully they're competent enough to fix it.

"Breached"

[Linkreincarnate]

In completely unrelated news their bank account was also breached when a literal ton of money was deposited by Five Eyes.