Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Community Site Hacked

Posted by Zonk on from the series-of-unfortunate-events dept.

Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."

3 of 292 comments (clear)

  1. Please remember to cacth criminals! by John+Seminal · · Score: 0, Troll
    If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.

    This kind of thinking is wrong and outdated.

    What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??

    The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.

    I don't know the anwser. Do we increase jail time for hackers? Do we lock out countries where we know there are problems, have an internet embargo. Nothing in and nothing out? Do we change the whole internet to require some form of identification from everyone who uses it, something more than an IP address that can be spoofed. How do we stop people from hacking websites and causing disturbances?

    --

    Rosco: "If brains were gunpowder, Enos couldn't blow his nose."

  2. Re:How many people... by TheBigTBird · · Score: 0, Troll

    close to zero.

  3. Re:Encrypted passwords by bigberk · · Score: 1, Troll

    Right, sites should never be storing cleartext passwords. You store the hash of the password and each time the user enters a password, you hash it and compare to the stored value.

    This way you never store the actual password on the server and it is nearly impossible recover the password. A quick test is, try the "forgot password" feature of a site. If it sends you back your cleartext password, you know the site is not safely handling logins.

    However once a site is hacked, the attacker can of course read any data sent including the cleartext passwords. So if you log in to a compromised site, your password can be found out.