Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Community Site Hacked

Posted by Zonk on from the series-of-unfortunate-events dept.

Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."

10 of 292 comments (clear)

  1. Increased Exposure Leads to Increased Attacks by Real+World+Stuff · · Score: 1, Interesting

    As an organization or community gains increased exposure it is more prone it will gain the attention of those with nefarious intents. Spread FF servers are running Apach on Rhat, so this was not a MS vulnerability but more likely Drupal CVS. Perhaps it was a local attack from Oregon itself? Incidents like this will only continue to rise. IT is the obligation of the F/OSS community to ensure the GNU/Linux vulnerabilities are eradicated to support other F/OSS projects like SpreadFireFox.

    --
    If we don't fight for ourselves no one will.
  2. the security flaw? by Mad_Rain · · Score: 1, Interesting

    After reading in the article that they were using Drupal, I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.

    --
    "What do you think?" "I think 'What, do you think?!'"
  3. How many people... by Conspiracy_Of_Doves · · Score: 1, Interesting

    How many people upon reading the headline immediatly suspected that Microsoft is behind this?

    --

    Technoli
  4. Weak security by Anonymous Coward · · Score: 1, Interesting

    could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user

    Wow. You mean to tell me that they (spreadfirefox.com) were storing passwords locally and in non-hashed (+salt) form?

  5. Probably an automated attack by WebHostingGuy · · Score: 5, Interesting

    When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.

    My guess it that the spammer didn't even know what site they hacked.

    --
    Quality Hosting e3 Servers
  6. Passwords? Doubt it by RickPartin · · Score: 4, Interesting

    I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.

  7. Re:why would you ever list this info? by Free_Trial_Thinking · · Score: 2, Interesting

    I'm trying to answer this question for my own website right now. It's a program that lets you manage a dance studio, and I'm starting to design the registration page. I noticed that I instinctively starting adding first name, last name, address, fields, but then I realized, why do I care?

    So now I'm wondering, how can I design a registration page when all I require is a userID and password? Wouldn't that look weird as a registration page? Any advice?

  8. SpreadFirefox uses CivicSpace by Teja · · Score: 3, Interesting

    SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.

    --
    - Teja
  9. Boycott Cnet by Anonymous Coward · · Score: 1, Interesting

    Boycott cnet. They are a crappy company and they ruin everthing they touch.

    TVtome was a completely functional website that brought together volumes of information and opinions, and conveniently organized it all. It was created with literally thousands of man-hours, forming the finest source of information on television on the internet. It was one of the websites, combined with imdb and wikipedia, that proved to me how great the internet was at organizing information. Cnet, in one fell swoop, destroyed all of this.

  10. Re:Please remember to cacth criminals! by DelphiGeek · · Score: 2, Interesting

    I think you need to change the analogy to perhaps put it in slightly better perspective.

    Say you purchased a car from Foo Motor Company in 2000. In 2001, they release a "recall" for a brake spring that is faulty. In this recall it states that the part failure may result in the serious malfunction of the braking system and could render the brakes useless. All parts and labor are covered on the repair, just take to your nearest dealer.

    For whatever reason (probably because you are busy) you never take the vehicle to the dealer and have the work done. Then in 2002 you are cruising down the road and a small child runs in front of your car. You slam on the brakes and NOTHING. They just don't work. You smoosh the kid.

    Is Foo Motor Company at fault? After all they did warn you and provide a method to fix the problem.