Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.
It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.
If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice
On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.
We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.
As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.
The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.
Sincerely,
The Mozilla Foundation
You can crack MD5 hashes.
RTJKJAS
SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).
Just clearing that up for people.
No, they are hashed. But really, any site that hashes their passwords with at least MD5 is pretty safe. My password is sixteen characters long, so the chance of it being cracked is very near zero.
I try not to visit sites that store passwords as plain text somewhere.
No existe.
Exploit they used:
1 2241&tid=169&tid=8
"I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night. If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible."
http://www.knowprose.com/node/2866
Sample source code of the exploit:
http://www.milw0rm.com/id.php?id=1088
Red Hat Advanced Server 3.0 powers spreadfirefox.com:
Response Headers - http://www.spreadfirefox.com/
Date: Fri, 15 Jul 2005 20:01:52 GMT
Server: Apache/2.0.52 (Red Hat)
This vulnerability has been known for over 2 weeks. Was there no Redhat patch available or did the admins slack off?
Also, isn't it strange how Drupal gets 2 posts on Slashdot in the same day?
Community, OSL and Sun Jump to Drupal's Rescue - http://it.slashdot.org/article.pl?sid=05/07/15/12
-Joe
1) Mozilla's the good guys. Microsoft's the evil empire.
Good and evil are completely subjective. Someone pro-Microsoft could think Firefox is the devil incarnate (let's not discuss why someone would be pro-Microsoft and just grant the premise that there could exist a tech savvy zealot with either something against Mozilla or a hard-on for MS)
2) As said in the summary, these guys could get, "real names, web site URLs, e-mail addresses, IM screenames, and home addresses." No credit card information, no bank account numbers, nothing of value other than matching a name&address to a login. Since nobody's sharing any MP3s or warez or doing anything illegal, how does a name&address hurt anybody?
Web site URLs, email addresses, IM screennames = new targets for spamming. If we assume the intruders acted with spamming in mind, electronic contact info of any kind is key.
3) I myself haven't even heard of SpreadFireFox's website until today. It's not a big-name deal. I doubt anybody's going to get their name on CNN for this. So, no publicity beyond Slashdot.
So, why hack SpreadFirefox?
Why do hackers hack anything?
Because they can.
I can't answer the third point directly, but a hacker's motivation is partially driven by "can I do this?"
I really doubt that the passwords were ever vulnerable since SpreadFirefox runs on Drupal and I'm fairly certain that Drupal hashes them (MD5) before storing them in the database. Worst case then would be that people got the hashes and could hack them, but it's quite a chore for a fairly unimportant login (it's not like it's my banking data).
Anyone else get creeped out when big commercial sites don't hash passwords (and can therefore recover them)?
I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:
No, mirrors.playboy.com is an official Mozilla FTP mirror (one of about 80 or so). For probably obvious reasons a lot of businesses probably block any access to that domain though. The download link on mozilla.org will send you to a random server off the mirrors list when you click it, so just try again and you'll probably get it from a different server.