Firefox Community Site Hacked

Ryan Paul writes "The Mozilla Foundation reveals that remote attackers infiltrated the SpreadFirefox server by exploiting a site vulnerability. While it appears as though no personal information was accessed, e-mails were sent to inform all registered SpreadFirefox users of the breach. Ars Technica has the complete story." From the Ars article: "Preliminary analysis indicates that the exploit was limited to SpreadFirefox exclusively, meaning that other Mozilla Foundation web sites were not attacked or compromised. The vulnerability, which was exploited by 'unknown remote attackers,' could potentially have enabled the forces of computing darkness to obtain the username and password of every registered SpreadFirefox user, as well as any other optional information that users may have provided, including: real name, web site URL, e-mail address, IM screename, and home address."

Please remember to patch!

[garcia]

Registered users at the promotional Mozilla community site SpreadFirefox.com were greeted this morning by an e-mail informing them that a July 10 security breach could potentially have enabled attackers to acquire a massive amount of private user data.

It is likely that exploit was facilitated by a recently discovered vulnerability in Drupal, the open source CMS utilized by SpreadFirefox and other community sites. I have not yet been able to verify my suspicions on the matter, as the Mozilla Foundation has not yet revealed exactly which vulnerability was exploited.

If it was due to the vulnerability present in older versions of Drupal (pre June 29th) then it was the admins of spreadfirefox.com that left it unpatched until July 10th (11 days). There is no excuse for that kind of delay in patching a vulnerability on a system that could affect as many users as SpreadFirefox caters to.

why would you ever list this info?

[Gothmolly]

Why would you ever give all that personal info to a random website? Even if you're a big Firefox advocate, what possible value does it add to the project to provide them with your home address? At best, you're going to get spammed. at worst, you get your identity stolen. duh.

Little fox is growing up!

[Szaman2]

Aww... Our little baybe fox is growing up! Look, it just had a first big script kiddie attack trying to take over one of its' sites.. Ah, how this time passes. Only yesterday it was a tiny alpha project no one cared about... I think this only goes to show that Firefox is really becoming more popular nowdays.

content of mail from SpreadFirefox.com site

[appavi]

content of mail sent to all registered users of SpreadFirefox.com site

From: admin@spreadfirefox.com
Reply-To: admin@spreadfirefox.com
To: announce@spreadfirefox.com
Date: Jul 15, 2005 2:52 AM
Subject: Spread Firefox outage and privacy breach notice

On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.

We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.

We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.

The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.

Sincerely,
The Mozilla Foundation

Mozilla Not At Risk!

[CypherXero]

SpreadFirefox.com is based on Drupal CMS, and is in no way a sign that Mozilla can be hacked because of this. Yes, anything and anyone can be hacked, but I keep seeing a lot of people think that the Mozilla Foundation is at risk. But not with this hack, because they (Mozilla) don't run Drupal. Drupal has had vulnerabilities like this before in their older versions (I got attacked with it on my Online Portfolio site, which ran a vulnerable version of Drupal).

Just clearing that up for people.

Re:How many people...

[ifishfortorque]

Here, looks like you need this.

(hands over tinfoil hat)

Probably an automated attack

[WebHostingGuy]

When I read this the first thing that went through my mind is that someone targeted the site. But it sounds like a spammer just used it to send out emails (as far as I know now). Based upon this I doubt that the site was even targeted at all. I bet an automated script searched through google and is looking for drupal sites to exploit. phpBB has this happen quite a bit. Once a site is found the script automates the hack and then sends out the spam.

My guess it that the spammer didn't even know what site they hacked.

Re:Please remember to cacth criminals!

[pixelpusher220]

What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock?

Nice way to twist the arguement.

Except that if it was widely publicized that ABC, Inc locks had a fatal flaw in them, but there was a modification to make it secure. But you didn't and somebody exploited that flaw to steal stuff.

Yes you'd bear some responsibility since you're housing OTHER peoples data and not doing everything reasonable to protect that data...and applying patches is plenty reasonable.

Re:Please remember to cacth criminals!

[99BottlesOfBeerInMyF]

What you are saying is, if I have a door and the lock breaks, it is my fault if I get robbed because I did not change the lock??

The above poster said nothing of the kind. He did not blame the site for getting hacked, he blamed the administrators for not providing enough security. Let me rewrite your analogy.

Yesterday at the local businessman's meeting, security expert Mr. Smith revealed that the cheap, Walmart brand padlocks in use on many stores can be broken into very easily with a ordinary pen. Mr. Smith said that these locks should be replaced and are even in use on the jewelry store down the street where a number of us have our membership rings being resized... and two weeks later the jewelry store is broken into with a pen but someone happened by and the robbers ran away without stealing much.

Would it or would it not be correct to criticize the store owner for not changing the locks, even after they were shown faulty and after the whole group was told that he was using them?

How do we stop people from hacking websites and causing disturbances?

How do we stop people from robbing jewelry stores? Well we make sure the cops enforce the laws and we put in good locks and a security system. Nothing will ever stop all robberies or all cracks, but that does not mean we should not do our best to make any given store or server a hard target. Nor does it mean we should ignore security warnings.