Slashdot Mirror
Firefox Community Site Hacked
Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."
Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.
It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.
If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.
Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.
I want to delete my account but Slashdot doesn't allow it.
that means they would know my password is password, my name is jo daddy and my email is anonymous124341234@hotmail.com. oh no.
Evolution or ID?
Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.
I'm teminally incoherent
From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice
On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.
We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.
As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.
The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.
Sincerely,
The Mozilla Foundation
Firefox, I'd like to introduce you to "wide-spread" usage.
Wide spread usage, this is firefox.
(sarcastic comment overload)
I hope that they use some of that $10,000 in donations that they received to patch any additional security problems.
How is this insightful? It's nothing but an uninformed troll...
Drupal's staff has already stated that it is using *all* of the money donated for server and backend stuff as that's what the community expected it to be used for when they donated.
Drupal is just like any other piece of open source software... It has bugs, they are patched, and the notifications of the necessity to patch go out to the end users. It's then up to the end users to patch.
SpreadFirefox knew of the vunerability for 10 days before they were hacked on the 11th day. It's not Drupal's fault that the admins at SpreadFirefox didn't bother to upgrade.
SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).
Just clearing that up for people.
Here, looks like you need this.
(hands over tinfoil hat)
When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.
My guess it that the spammer didn't even know what site they hacked.
Quality Hosting e3 Servers
I really doubt that any passwords were even there. Any site with brains is storing it as an MD5 hash. In fact I've never used any content management systems or forum software that stored it as plain text.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock?
Nice way to twist the arguement.
Except that if it was widely publicized that ABC, Inc locks had a fatal flaw in them, but there was a modification to make it secure. But you didn't and somebody exploited that flaw to steal stuff.
Yes you'd bear some responsibility since you're housing OTHER peoples data and not doing everything reasonable to protect that data...and applying patches is plenty reasonable.
People in cars cause accidents....accidents in cars cause people
No, they are hashed. But really, any site that hashes their passwords with at least MD5 is pretty safe. My password is sixteen characters long, so the chance of it being cracked is very near zero.
I try not to visit sites that store passwords as plain text somewhere.
No existe.
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The above poster said nothing of the kind. He did not blame the site for getting hacked, he blamed the administrators for not providing enough security. Let me rewrite your analogy.
Yesterday at the local businessman's meeting, security expert Mr. Smith revealed that the cheap, Walmart brand padlocks in use on many stores can be broken into very easily with a ordinary pen. Mr. Smith said that these locks should be replaced and are even in use on the jewelry store down the street where a number of us have our membership rings being resized... and two weeks later the jewelry store is broken into with a pen but someone happened by and the robbers ran away without stealing much.
Would it or would it not be correct to criticize the store owner for not changing the locks, even after they were shown faulty and after the whole group was told that he was using them?
How do we stop people from hacking websites and causing disturbances?
How do we stop people from robbing jewelry stores? Well we make sure the cops enforce the laws and we put in good locks and a security system. Nothing will ever stop all robberies or all cracks, but that does not mean we should not do our best to make any given store or server a hard target. Nor does it mean we should ignore security warnings.
Assume that the landlord of your apartment building uses ABC, Inc. locks with said flaw, and fails to fix that flaw in a timely manner, despite the fact that the fix is moderately simple and free to implement. You, the tennant, have no ability to apply this change yourself. Now, when the burglars come and exploit that flaw to steal all of your stuff, wouldn't you want to hold the landlord at least partially to blame as well as the burglars?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
SpreadFirefox uses a variant to Drupal, named CivicSpace. Does that make much difference with patching? Maybe only a few aspects are different. I installed it, I've only noticed just some minor changes, nothing too major really (of course, I spent only a few minutes with it), but personally I'd probably stick to Drupal. Larger community base.
- Teja
What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??
The problem is with the criminal who breaks into websites. If I wanted zero security for my website, I should be allowed to have zero security and not have anyone hack in.
Ugh, I am so sick of the never-ending analogies in this friggin place! Try this non-analogous rebuttal on for size:
negligence Audio pronunciation of "negligence" ( P ) Pronunciation Key (ngl-jns) n.
1. The state or quality of being negligent.
2. A negligent act or a failure to act.
3. Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
No, mirrors.playboy.com is an official Mozilla FTP mirror (one of about 80 or so). For probably obvious reasons a lot of businesses probably block any access to that domain though. The download link on mozilla.org will send you to a random server off the mirrors list when you click it, so just try again and you'll probably get it from a different server.