Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.
It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.
If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
I am *so* glad I use random passwords that are coordinated in a deeply-encrypted PGP file on an encrypted smartcard :_) for my spreadthefox.net password.
Promote freedom; fight fascism.
Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
I want to delete my account but Slashdot doesn't allow it.
that means they would know my password is password, my name is jo daddy and my email is anonymous124341234@hotmail.com. oh no.
Evolution or ID?
Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.
I'm teminally incoherent
From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice
On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.
We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.
As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.
The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.
Sincerely,
The Mozilla Foundation
Firefox, I'd like to introduce you to "wide-spread" usage.
Wide spread usage, this is firefox.
(sarcastic comment overload)
I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.
How is this insightful? It's nothing but an uninformed troll...
Drupal's staff has already stated that it is using *all* of the money donated for server and backend stuff as that's what the community expected it to be used for when they donated.
Drupal is just like any other piece of open source software... It has bugs, they are patched, and the notifications of the necessity to patch go out to the end users. It's then up to the end users to patch.
SpreadFirefox knew of the vunerability for 10 days before they were hacked on the 11th day. It's not Drupal's fault that the admins at SpreadFirefox didn't bother to upgrade.
You can crack MD5 hashes.
RTJKJAS
SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).
Just clearing that up for people.
Here, looks like you need this.
(hands over tinfoil hat)
As mentioned previously, it happens to the best of us, so we all need to be on top of keeping up with patches and installing them.
Get some.
as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address.
That's precisely why you should always treat information submitted to a site like Spread Firefox as though it will be released to the public sometime in the future. If you aren't ready for everybody to have access to your home address, then simply don't release your home address.
Do you like German cars?
Lots of people probably use the same password for their email and websites such as SpreadFirefox. If any users use webmail and provided their email address, this could be a big problem. I would have thought that SpreadFirefox would have used hashes and salt on their passwords, but apparently this isn't the case.
It looks like the Mozilla Foundation realized this too:
While there is currently no evidence that the attackers acquired user data, the Mozilla Foundation suggests that registered users change their password and "the password of any accounts where you use the same password as your Spread Firefox account."
When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.
My guess it that the spammer didn't even know what site they hacked.
Quality Hosting e3 Servers
I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock?
Nice way to twist the arguement.
Except that if it was widely publicized that ABC, Inc locks had a fatal flaw in them, but there was a modification to make it secure. But you didn't and somebody exploited that flaw to steal stuff.
Yes you'd bear some responsibility since you're housing OTHER peoples data and not doing everything reasonable to protect that data...and applying patches is plenty reasonable.
People in cars cause accidents....accidents in cars cause people
No, they are hashed. But really, any site that hashes their passwords with at least MD5 is pretty safe. My password is sixteen characters long, so the chance of it being cracked is very near zero.
I try not to visit sites that store passwords as plain text somewhere.
No existe.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The above poster said nothing of the kind. He did not blame the site for getting hacked, he blamed the administrators for not providing enough security. Let me rewrite your analogy.
Yesterday at the local businessman's meeting, security expert Mr. Smith revealed that the cheap, Walmart brand padlocks in use on many stores can be broken into very easily with a ordinary pen. Mr. Smith said that these locks should be replaced and are even in use on the jewelry store down the street where a number of us have our membership rings being resized... and two weeks later the jewelry store is broken into with a pen but someone happened by and the robbers ran away without stealing much.
Would it or would it not be correct to criticize the store owner for not changing the locks, even after they were shown faulty and after the whole group was told that he was using them?
How do we stop people from hacking websites and causing disturbances?
How do we stop people from robbing jewelry stores? Well we make sure the cops enforce the laws and we put in good locks and a security system. Nothing will ever stop all robberies or all cracks, but that does not mean we should not do our best to make any given store or server a hard target. Nor does it mean we should ignore security warnings.
So the solution is to do away with the police and simply build our homes out of 2ft thick titanium. And then when they find a way to cut through that, the news will report it, and then it'll be your fault for not upgrading to diamond plate armor.
Actually, I came across this at Google News prior to stopping Slashdot. It's hard to say how much press coverage it will get. I suppose it all depends on whether or not the FUD spinners feel they can use this to show that Open Source is no more secure than proprietary software. Be that as it may, software is a huge part of the picture; however, you can't rule out the the impact that the human factor and the choices that admins make (or fail to do so) have in maintaining system security.
Get some.
"How many people upon reading the headline immediatly suspected that Microsoft is behind this?"
Funny, I suspected the growing popularity and the shitheaded zealousy surrounding FireFox.
Then again, MS is suspected of everything bad in the world around here. You guys are just kidding yourselves if you think Microsoft is FireFox's only enemy.
"Derp de derp."
If this was just someones lame "Look at pictures of my puppies" website that held no personal information about anyone and it got hacked, the fault would lie totally with the hacker.
You house other peoples private data, you better be securing the site, or you are negligent.Exploit they used:
1 2241&tid=169&tid=8
"I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night. If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible."
http://www.knowprose.com/node/2866
Sample source code of the exploit:
http://www.milw0rm.com/id.php?id=1088
Red Hat Advanced Server 3.0 powers spreadfirefox.com:
Response Headers - http://www.spreadfirefox.com/
Date: Fri, 15 Jul 2005 20:01:52 GMT
Server: Apache/2.0.52 (Red Hat)
This vulnerability has been known for over 2 weeks. Was there no Redhat patch available or did the admins slack off?
Also, isn't it strange how Drupal gets 2 posts on Slashdot in the same day?
Community, OSL and Sun Jump to Drupal's Rescue - http://it.slashdot.org/article.pl?sid=05/07/15/12
-Joe
Assume that the landlord of your apartment building uses ABC, Inc. locks with said flaw, and fails to fix that flaw in a timely manner, despite the fact that the fix is moderately simple and free to implement. You, the tennant, have no ability to apply this change yourself. Now, when the burglars come and exploit that flaw to steal all of your stuff, wouldn't you want to hold the landlord at least partially to blame as well as the burglars?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Wow. You mean to tell me that they (spreadfirefox.com) were storing passwords locally and in non-hashed (+salt) form?
I assume that every website I have ever registered for is storing their passwords in plaintext. After all, it's slightly easier to manage, nobody expects to get broken into, and people are lazy.
Sure, some sites you visit will be secure against this kind of problem, but as a external customer, how could you ever know?
1) Mozilla's the good guys. Microsoft's the evil empire.
Good and evil are completely subjective. Someone pro-Microsoft could think Firefox is the devil incarnate (let's not discuss why someone would be pro-Microsoft and just grant the premise that there could exist a tech savvy zealot with either something against Mozilla or a hard-on for MS)
2) As said in the summary, these guys could get, "real names, web site URLs, e-mail addresses, IM screenames, and home addresses." No credit card information, no bank account numbers, nothing of value other than matching a name&address to a login. Since nobody's sharing any MP3s or warez or doing anything illegal, how does a name&address hurt anybody?
Web site URLs, email addresses, IM screennames = new targets for spamming. If we assume the intruders acted with spamming in mind, electronic contact info of any kind is key.
3) I myself haven't even heard of SpreadFireFox's website until today. It's not a big-name deal. I doubt anybody's going to get their name on CNN for this. So, no publicity beyond Slashdot.
So, why hack SpreadFirefox?
Why do hackers hack anything?
Because they can.
I can't answer the third point directly, but a hacker's motivation is partially driven by "can I do this?"
I really doubt that the passwords were ever vulnerable since SpreadFirefox runs on Drupal and I'm fairly certain that Drupal hashes them (MD5) before storing them in the database. Worst case then would be that people got the hashes and could hack them, but it's quite a chore for a fairly unimportant login (it's not like it's my banking data).
Anyone else get creeped out when big commercial sites don't hash passwords (and can therefore recover them)?
SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.
- Teja
How about this analogy:
There's a "webserver", and this "webserver" is running "software". The people that make the "software" have released a "patch" 2 weeks ago that "fixes" a number of "security holes" in the "software".
Then, the people who run this "webserver" didn't apply the "patch", and "webserver" got "hacked".
The "webserver" was also storing "3rd party contact information"; ergo, the people who run the "webserver" should have applied the "patch" more quickly.
Come on, folks. Every thread on slashdot lately, it seems everyone tries to make analogies, and everyone else is correcting them. We're all geeks, it's not hard to understand the concept of "unpatched webserver gets haked" or "non-encrypted wireless internet used by passerby", or a hundred other things that seem foreign to the talking heads on CNN's "technology report". We get it. It is what it is.
~Wil
sig?
We at Diamond Plate Armored Homes Inc. would like to remind you of an amazing offer on our latest 900mm SurroundWall "Better-Than-Cops"(TM) residential security system.
But wait, if you call today, you'll also get 30% off our Enhanced Titanium Adobe-feel roof, providing NSA-grade penetration security in style!
All our products come with build-in machine gun mounts, and are blast and impact proof up to 300 kg of TNT.
When you care about the safety of your family, you protect it with "Armored Homes"!
Call your representative TODAY to take advantage of this great offer!
"Piter, too, is dead."
I think you need to change the analogy to perhaps put it in slightly better perspective.
Say you purchased a car from Foo Motor Company in 2000. In 2001, they release a "recall" for a brake spring that is faulty. In this recall it states that the part failure may result in the serious malfunction of the braking system and could render the brakes useless. All parts and labor are covered on the repair, just take to your nearest dealer.
For whatever reason (probably because you are busy) you never take the vehicle to the dealer and have the work done. Then in 2002 you are cruising down the road and a small child runs in front of your car. You slam on the brakes and NOTHING. They just don't work. You smoosh the kid.
Is Foo Motor Company at fault? After all they did warn you and provide a method to fix the problem.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.
Ugh, I am so sick of the never-ending analogies in this friggin place! Try this non-analogous rebuttal on for size:
negligence Audio pronunciation of "negligence" ( P ) Pronunciation Key (ngl-jns) n.
1. The state or quality of being negligent.
2. A negligent act or a failure to act.
3. Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
That's not "much less." It's also very much worth pointing out that homicide rate isn't necessarily an accurate index of crime as a whole, and chances are the statistics mentioned don't take into account all sorts of things completely unrelated to the moral state of man that would boost the statistics. Yes, it's bad to rob a store. It's also foolish to leave a store undefended against robbery, and you are responsible if you lose other people's property because of your failure to take appropriate measures against a known threat. Just like if you lost their stuff or exposed it to corrosive materials on accident. You aren't responsible for the robbery, but you are responsible for the loss. Alternatively: You put something in a safety deposit box at a local company. The building burns down / is robbed / blows up / melts / ceases to exist. You want your something back, right? The company which promised to hold it for you owes it back, right?
Come on, folks. Every thread on slashdot lately, it seems everyone tries to make analogies, and everyone else is correcting them.
So it's like when you write a book, and something in it is confusing, and then some editor scribbles something less confusing in the margin, but everyone still ends up confused?
I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:
No, mirrors.playboy.com is an official Mozilla FTP mirror (one of about 80 or so). For probably obvious reasons a lot of businesses probably block any access to that domain though. The download link on mozilla.org will send you to a random server off the mirrors list when you click it, so just try again and you'll probably get it from a different server.