Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
I want to delete my account but Slashdot doesn't allow it.
Firefox, I'd like to introduce you to "wide-spread" usage.
Wide spread usage, this is firefox.
(sarcastic comment overload)
I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.
How is this insightful? It's nothing but an uninformed troll...
Drupal's staff has already stated that it is using *all* of the money donated for server and backend stuff as that's what the community expected it to be used for when they donated.
Drupal is just like any other piece of open source software... It has bugs, they are patched, and the notifications of the necessity to patch go out to the end users. It's then up to the end users to patch.
SpreadFirefox knew of the vunerability for 10 days before they were hacked on the 11th day. It's not Drupal's fault that the admins at SpreadFirefox didn't bother to upgrade.
As mentioned previously, it happens to the best of us, so we all need to be on top of keeping up with patches and installing them.
Get some.
as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.
That's precisely why you should always treat information submitted to a site like Spread Firefox as though it will be released to the public sometime in the future. If you aren't ready for everybody to have access to your home address, then simply don't release your home address.
Do you like German cars?
Lots of people probably use the same password for their email and websites such as SpreadFirefox. If any users use webmail and provided their email address, this could be a big problem. I would have thought that SpreadFirefox would have used hashes and salt on their passwords, but apparently this isn't the case.
It looks like the Mozilla Foundation realized this too:
While there is currently no evidence that the attackers acquired user data, the Mozilla Foundation suggests that registered users change their password and "the password of any accounts where you use the same password as your Spread Firefox account."
Just because a patch comes out doesnt mean to jump on it immediately and patch the vulnerability. There must be testing first to make sure that this patch does not break anything important in running that site.
A fatal mistake I see with some admins is that they run patches, service packs, support packs (for you Novell lovers out there) or any kind of fix without extensive testing. The only reason I would throw a patch on a system immediately is if that exploit is causing an immediate problem.
Yeah they could have patched earlier but then we might be reading a ./ article about how a Drupal patch crashed the spreadfirefox.com site.
Just my $.02
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock?
Nice way to twist the arguement.
Except that if it was widely publicized that ABC, Inc locks had a fatal flaw in them, but there was a modification to make it secure. But you didn't and somebody exploited that flaw to steal stuff.
Yes you'd bear some responsibility since you're housing OTHER peoples data and not doing everything reasonable to protect that data...and applying patches is plenty reasonable.
People in cars cause accidents....accidents in cars cause people
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The above poster said nothing of the kind. He did not blame the site for getting hacked, he blamed the administrators for not providing enough security. Let me rewrite your analogy.
Yesterday at the local businessman's meeting, security expert Mr. Smith revealed that the cheap, Walmart brand padlocks in use on many stores can be broken into very easily with a ordinary pen. Mr. Smith said that these locks should be replaced and are even in use on the jewelry store down the street where a number of us have our membership rings being resized... and two weeks later the jewelry store is broken into with a pen but someone happened by and the robbers ran away without stealing much.
Would it or would it not be correct to criticize the store owner for not changing the locks, even after they were shown faulty and after the whole group was told that he was using them?
How do we stop people from hacking websites and causing disturbances?
How do we stop people from robbing jewelry stores? Well we make sure the cops enforce the laws and we put in good locks and a security system. Nothing will ever stop all robberies or all cracks, but that does not mean we should not do our best to make any given store or server a hard target. Nor does it mean we should ignore security warnings.
Actually, I came across this at Google News prior to stopping Slashdot. It's hard to say how much press coverage it will get. I suppose it all depends on whether or not the FUD spinners feel they can use this to show that Open Source is no more secure than proprietary software. Be that as it may, software is a huge part of the picture; however, you can't rule out the the impact that the human factor and the choices that admins make (or fail to do so) have in maintaining system security.
Get some.
"How many people upon reading the headline immediatly suspected that Microsoft is behind this?"
Funny, I suspected the growing popularity and the shitheaded zealousy surrounding FireFox.
Then again, MS is suspected of everything bad in the world around here. You guys are just kidding yourselves if you think Microsoft is FireFox's only enemy.
"Derp de derp."
If this was just someones lame "Look at pictures of my puppies" website that held no personal information about anyone and it got hacked, the fault would lie totally with the hacker.
You house other peoples private data, you better be securing the site, or you are negligent.Assume that the landlord of your apartment building uses ABC, Inc. locks with said flaw, and fails to fix that flaw in a timely manner, despite the fact that the fix is moderately simple and free to implement. You, the tennant, have no ability to apply this change yourself. Now, when the burglars come and exploit that flaw to steal all of your stuff, wouldn't you want to hold the landlord at least partially to blame as well as the burglars?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Wow. You mean to tell me that they (spreadfirefox.com) were storing passwords locally and in non-hashed (+salt) form?
I assume that every website I have ever registered for is storing their passwords in plaintext. After all, it's slightly easier to manage, nobody expects to get broken into, and people are lazy.
Sure, some sites you visit will be secure against this kind of problem, but as a external customer, how could you ever know?
You're right but unless you're encrypting them in javascript before a form sends it to the server, passwords are making they're way from the browser to your server in plaintext (even over ssl - there its just the transport that's encrypted).
From there, a truly malicious user could get them from database select statements (by turning on and looking at db logs, like mysql's query log), or changing your CMS's authentication code to also email the username/passwords during the authentication process to an external address or to drop them into a file.
How about this analogy:
There's a "webserver", and this "webserver" is running "software". The people that make the "software" have released a "patch" 2 weeks ago that "fixes" a number of "security holes" in the "software".
Then, the people who run this "webserver" didn't apply the "patch", and "webserver" got "hacked".
The "webserver" was also storing "3rd party contact information"; ergo, the people who run the "webserver" should have applied the "patch" more quickly.
Come on, folks. Every thread on slashdot lately, it seems everyone tries to make analogies, and everyone else is correcting them. We're all geeks, it's not hard to understand the concept of "unpatched webserver gets haked" or "non-encrypted wireless internet used by passerby", or a hundred other things that seem foreign to the talking heads on CNN's "technology report". We get it. It is what it is.
~Wil
sig?
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.
Ugh, I am so sick of the never-ending analogies in this friggin place! Try this non-analogous rebuttal on for size:
negligence Audio pronunciation of "negligence" ( P ) Pronunciation Key (ngl-jns) n.
1. The state or quality of being negligent.
2. A negligent act or a failure to act.
3. Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
All locks are flawed. No security is perfect. Since you chose not to move into Fort Knox, you knew that your security was not perfect. Hence I saw you are 120% to blame, since you chose not to move into Fort Knox. See, I'm holding you responsible for stuff stolen from your neighbors, and replacing the lock. If you didn't have all that high priced stuff, the burglars wouldn't have broken in.
Now, here's side B. Admins rush to integrate the fix, but it turns out the fix changes component X's behavior slightly, and erases all your data. Now who's fault is it?
Oh, and side C. When you show up to bitch about how I run my network that you aren't paying for, and that my time is worthless, I get to kick you in the crotch, repeatedly.
My other car is a Popemobile
That's not "much less." It's also very much worth pointing out that homicide rate isn't necessarily an accurate index of crime as a whole, and chances are the statistics mentioned don't take into account all sorts of things completely unrelated to the moral state of man that would boost the statistics. Yes, it's bad to rob a store. It's also foolish to leave a store undefended against robbery, and you are responsible if you lose other people's property because of your failure to take appropriate measures against a known threat. Just like if you lost their stuff or exposed it to corrosive materials on accident. You aren't responsible for the robbery, but you are responsible for the loss. Alternatively: You put something in a safety deposit box at a local company. The building burns down / is robbed / blows up / melts / ceases to exist. You want your something back, right? The company which promised to hold it for you owes it back, right?