Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Community Site Hacked

Posted by Zonk on from the series-of-unfortunate-events dept.

Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."

5 of 292 comments (clear)

  1. Probably an automated attack by WebHostingGuy · · Score: 5, Interesting

    When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.

    My guess it that the spammer didn't even know what site they hacked.

    --
    Quality Hosting e3 Servers
  2. Passwords? Doubt it by RickPartin · · Score: 4, Interesting

    I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.

  3. Re:why would you ever list this info? by Free_Trial_Thinking · · Score: 2, Interesting

    I'm trying to answer this question for my own website right now. It's a program that lets you manage a dance studio, and I'm starting to design the registration page. I noticed that I instinctively starting adding first name, last name, address, fields, but then I realized, why do I care?

    So now I'm wondering, how can I design a registration page when all I require is a userID and password? Wouldn't that look weird as a registration page? Any advice?

  4. SpreadFirefox uses CivicSpace by Teja · · Score: 3, Interesting

    SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.

    --
    - Teja
  5. Re:Please remember to cacth criminals! by DelphiGeek · · Score: 2, Interesting

    I think you need to change the analogy to perhaps put it in slightly better perspective.

    Say you purchased a car from Foo Motor Company in 2000. In 2001, they release a "recall" for a brake spring that is faulty. In this recall it states that the part failure may result in the serious malfunction of the braking system and could render the brakes useless. All parts and labor are covered on the repair, just take to your nearest dealer.

    For whatever reason (probably because you are busy) you never take the vehicle to the dealer and have the work done. Then in 2002 you are cruising down the road and a small child runs in front of your car. You slam on the brakes and NOTHING. They just don't work. You smoosh the kid.

    Is Foo Motor Company at fault? After all they did warn you and provide a method to fix the problem.