Slashdot Mirror

← Back to Stories (view on slashdot.org)

SpreadFirefox Security Breached (again)

Posted by CmdrTaco on from the hate-when-that-happens dept.

Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."

33 of 140 comments (clear)

  1. Message by mysqlrocks · · Score: 3, Funny

    I noticed this message yesterday. I was wondering what it was about. Where did slashdot get this info? I didn't see it on Mozila's web site yesterday.

    --
    Bradley Holt
    1. Re:Message by druske · · Score: 5, Informative
      The SpreadFirefox team sent this email out to registered users:

      The Spread Firefox Team became aware this week that the server hosting
      Spread Firefox, our community marketing site, has been accessed by
      unknown remote attackers who attempted to exploit a security
      vulnerability in TWiki software installed on the server. The TWiki
      software was disabled as soon as we were aware of the attempts to access
      SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
      did not affect mozilla.org web sites or Mozilla software.

      We have scanned Spread Firefox servers and at this time do not believe
      any sensitive data was taken, but as a precautionary measure we have
      shutdown the site and will be rebuilding the web site from scratch. We
      also recommend that you change your Spread Firefox password and the
      password of any accounts where you use the same password as your Spread
      Firefox account. We will notify you again when the site is back up with
      instructions on how to change your password. (Note: We do use MD5
      hashing on the passwords, but MD5 cannot protect all passwords against
      off-line dictionary style attacks.)

      After Spread Firefox was compromised in July, we instituted procedures
      to ensure that we apply all security fixes to the software running the
      site (Drupal and PHP) as soon as they become available. Unfortunately,
      those procedures overlooked the installation of the TWiki software since
      it is not used by the main Spread Firefox site. When the system is
      rebuilt, all the software will be audited to ensure that security
      updates will be applied in a timely manner. We deeply regret this
      incident and any inconvenience this may have caused you. Sincerely,

      Spread Firefox Team
      Mozilla Foundation
  2. It's Microsoft... by yogix · · Score: 2, Funny

    ... venting frustration over seeing their office business go down the drain!

    :-)

    -Yogix

  3. hm by sexyrexy · · Score: 4, Insightful

    OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.

    --

    Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:hm by LnxAddct · · Score: 4, Informative

      This was a problem with one very small portion (twiki) of spreadfirefox. The system was setup regardless so that no user infomration was exposed. Nothing bad happened, spreadfirefox sent out a nice email to all registered users just letting them know that a remote attack was attempted.
      Regards,
      Steve

    2. Re:hm by ArsenneLupin · · Score: 4, Insightful
      the OSS organization is more transparent when bad things do happen

      That's correct. OSS organizations already warn their public if something might have happened to their website.

      Commercial organizations, on the other hand, don't warn their public. There may even be entire herds of goats trampling all over their website, and the public still isn't warned. Instead they quietely chase away the goats, still without a word of explanation to the public. And then completely forget to mend the fence through which the goats entered!

    3. Re:hm by ajs318 · · Score: 4, Insightful

      OSS is inherently more secure than proprietary software.

      Proprietary software authors do not have to do things "properly", they just kludge things together that may or may not work in every possible weirdy case, and rely on nobody ever seeing what an awful job they made of it in the first place. Witness any open source project that used to be closed-source {Mozilla; OpenOffice.org; Solaris}. Open Source developers have to write code that they would not be ashamed to show to anybody, because they do not know who is going to be looking at it. To quote Larry Wall, "Hubris is the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Hence, the third great virtue of a programmer." They also have to write code in such a way that it won't be obvious from inspecting it how to misuse it.

      Morbid curiosity is what makes people look at source code; and there are significantly more good guys than bad, so if anyone is looking at your source code, the chances are that their intentions are honourable.

      --
      Je fume. Tu fumes. Nous fûmes!
    4. Re:hm by saider · · Score: 2, Insightful

      I have seen a good number comments in all kinds of projects that can be summed up as...
      // This is ugly, but it works

      Often it is the result of shoddy hardware design or trying to weld pieces of code together that were never designed for it. Sometimes you have to resort to "bad code" to achieve your goals.

      --


      Remember, You are unique...just like everyone else.
    5. Re:hm by Dan+Ost · · Score: 2, Insightful

      Ugly code should be tolerated only if it is the only
      alternative to getting the code to work before the deadline.
      And even then, it should only be tolerated if you've tried
      and failed to move the deadline back. And then it should be
      removed as soon as possible.

      Ugly code, left unchecked, spreads like crazy because you
      have to code around it which makes more ugly code that has
      to be coded around.

      Don't write ugly code.

      --

      *sigh* back to work...
  4. Hmmm... by PhotoBoy · · Score: 2, Interesting

    No reassurances this time that no personal data was stolen? Last time they made damn sure to point out that everyone's data was safe but it seems this time they've not told us about that. Could the hackers have a nice big list of email addresses to spam now?

    1. Re:Hmmm... by j-turkey · · Score: 3, Informative

      From the email sent out, it says that:

      We have scanned Spread Firefox servers and at this time do not believe any sensitive data was taken, but as a precautionary measure we have shutdown the site and will be rebuilding the web site from scratch. We also recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

      It seems safe to assume that personal information is a subset of sensitive data, no?

      --

      -Turkey

  5. Wrong Date by rb2297 · · Score: 5, Informative

    It says the site is down until the 15th not the 19th...

    1. Re:Wrong Date by Anonymous Coward · · Score: 3, Funny

      If we can't trust them about showing correct dates, then for goodness sake, why should we believe there even WAS a security breach?

  6. Not Mozilla software that was hacked by elfguygmail.com · · Score: 3, Informative

    It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.

    1. Re:Not Mozilla software that was hacked by Gaspo · · Score: 3, Insightful

      It's not about the fact that it was a user community, rather than the actual Mozilla.org site that was compromised. From a PR standpoint, the reports will concentrate, I suspect, on the fact that something associated with Mozilla was broken into, and thus will cast the Mozilla Foundation as a whole in a rather negative glow. Hopefully it won't last too long, or perhaps hell will freeze over and accurate reporting will prevail.

    2. Re:Not Mozilla software that was hacked by kccricket · · Score: 3, Informative
      It's not about the fact that it was a user community, rather than the actual Mozilla.org site that was compromised.

      Yeah, except that:
      This exploit was limited to SpreadFirefox.com and did not affect mozilla.org web sites or Mozilla software.
      --
      * chirp * chirp *
    3. Re:Not Mozilla software that was hacked by sprintstar · · Score: 5, Informative

      It wasn't MediaWiki , it was TWiki. They have (AFAIK) nothing to do with each other.

  7. Can you imagine... by SocietyoftheFist · · Score: 3, Insightful

    Shutting your corporate website down for 2 weeks?

  8. Here comes the trolls! by LordKazan · · Score: 2, Informative

    While the "but open source is supposed to me more secure!" trolls will open their mouths about how this is evidence we're wrong - it's not.

    All software and therefore all websites contain vulnerabilities.
    The advantage of OSS is that these security holes are fixed promptly.

    Thanks to someone posting the origional email announcement we know that this breach was due to poor server administration in that they didn't keep their software patched up to the latest version. This vulnerability is probably fixed in the latest TWiki releases being that someone is out there exploiting it.

    --
    If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
    1. Re:Here comes the trolls! by kiwimate · · Score: 3, Interesting

      ...this breach was due to poor server administration in that they didn't keep their software patched up to the latest version.

      Yep, agreed.

      Same as the majority * of Microsoft hacks. People not changing their SQL Server sa password from the default, or not applying the patch that blocks that particulary vulnerability that was released by Microsoft six months ago, or...

      * Note: I fully expect someone to come up and say "but what about...". That's why I chose that phrasing. I'm not arguing Microsoft is perfect, and you can certainly argue whether open-source means you get the advantage of transparency **, or whatever your retort may be. But my contention is that the majority of hacks of Microsoft products come down to poor server administration.

      ** Which advantage is also extended to the hackers, of course.

  9. Dupe! by Scoria · · Score: 4, Funny

    Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!

    --
    Do you like German cars?
  10. We're done with TWiki by po8 · · Score: 5, Informative

    I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

    Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.

    I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

    1. Re:We're done with TWiki by Florian+Weimer · · Score: 2, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases.

      TWiki is not part of any official Debian release. The current round of bugs was fixed for the twiki package in unstable in March 2005, in version 20040902-2.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security)

      Actually, it's not that bad. External processes are only invoked in very few places, and it's more or less straightforward to patch them so that shell command injection is probably impossible (not "provably impossible" of course, but close). See my TWiki robustness patch for the details.

      I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

      The alternatives aren't that much better, unfortunately. You might be able to trade shell command injection for SQL injection. The wiki mindset seems to be quite a bit away from a computer security mindset. But this shouldn't come as a surprise because giving permission to random visitors to edit your site needs quite a bit of faith.

    2. Re:We're done with TWiki by Bralkein · · Score: 2, Interesting

      In addition to your story and the one in TFA, the Rockbox project recently had a security breach in TWiki too, and the whole thing got deleted. The news item is still there on their website, if you want to read it. I know the plural of "anecdote" is not "data", but this little collection of tales of woe still doesn't do much to bolster my confidence in TWiki.

    3. Re:We're done with TWiki by dbg400 · · Score: 4, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

      I'm running the TWiki Debian packages (from Unstable) but follow the security mailing list and fortunately have patched (just) in time (so far). The first of the two recent vulnerabilities brought an attempted attack on my server around 12 hours after getting the initial email warning.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin

      It's probably not much consolation, but the upcoming Dakar release features a much revised code base with security in mind.

  11. Re:Twiki breached! Rodgers upset. by ettlz · · Score: 2, Funny

    Actually, it's Rogers (no "d"). From Wikipedia,

    Twiki, a small robot, tended to express himself with the ejaculation "biddi-biddi-biddi"...

    OK, let's have a show of hands: how many of you guys around here do this as well?

    Come on...

  12. Re:Look out now for the FUD by sumdumass · · Score: 3, Funny

    what does watching an opera have to do with t he interweb thingy?

    Look out i gatta go back to clicking up a storm. They are paying me to surf now :)`

  13. Re:Wow, on the heels of the HP/Netscape news... by LWATCDR · · Score: 3, Informative

    But this isn't the Mozilla project. And Mozilla is inherently safer than IE.
    Why? Because Mozilla isn't port of the OS. Exploits in IE have tended to open up the entire OS to virus and malware. Exploits in Mozilla tend to crash Mozilla. Same thing with Outlook and Thunderbird.
    Finally to answer this statement of yours
    "Wake up kids. They're as fallible as anyone at Microsoft and things like this will happen. Whether it is the browser or the websites hosting or the wikis, or whatever, mistakes are going to be made and patches and corrections will need to be done."
    If you look at the spreadfirefox.org website you will see this statement "This site is not connected to the Mozilla Foundation"
    So... your point is? The cracking of this website that is in not connected to the Mozilla Foundation proves what????

    I agree that Mozilla is not perfect just better than IE.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  14. Re:Wow, on the heels of the HP/Netscape news... by Shaper_pmp · · Score: 3, Insightful

    Right. Of course.

    Because the guys behind Mozilla/Firefox are clearly the same people as those who write TWiki, right? And the guys who run the Firefox marketing site are clearly exactly the same guys who do the hardcore browser development too.

    I'm all for pointing out when anyone fucks up, regardless of if they're saintly Firefox developers or "t3h evil 0ne5" at Microsoft. Nevertheless, if we're going to start pointing fingers at anyone and scoring cheap points, can we at least make sure it's, y'know... their fault?

    Short-sightedly knee-jerking and implying a marketing-run website crack is in any way a reflection of the security of an entirely separate developer-run product is just as bad as the people you're having a go at that think FL/OSS developers' shit smells of roses.

    --
    Everything in moderation, including moderation itself
  15. Website down for two weeks by totallygeek · · Score: 2, Funny
    Can you imagine shutting your corporate website down for 2 weeks?


    That would constitute vacation, something of which I have not been familiar with in some time. So, no, I cannot imagine that.

    --
    Click here or here.
    1. Re:Website down for two weeks by Keruo · · Score: 2, Funny

      just have to remember to post a link to your www server in a story on slashdot front page while you're setting up the tent, that way you'll have nice camp fire set up, as the server goes up in flames

      --
      There are no atheists when recovering from tape backup.
  16. The culprit is..... by 8127972 · · Score: 2, Funny

    .... Likely a Microsoft employee. These days, they'll do anything to avoid a flying chair.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  17. Re:The difference between Mozilla and Firefox... by ninja_assault_kitten · · Score: 2, Informative

    I think you've missed the point. Firefox (and it's users) began no with a claim of a faster response to security issues, but rather to a superior security architecture which was less conducive to the remotely exploitable vulnerabilities IE has fallen victom to. Clearly they were wrong and now all they have to hang on to is their response time, which they push every second they can.