Slashdot Mirror

← Back to Stories (view on slashdot.org)

SpreadFirefox Security Breached (again)

Posted by CmdrTaco on from the hate-when-that-happens dept.

Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."

21 of 140 comments (clear)

  1. Message by mysqlrocks · · Score: 3, Funny

    I noticed this message yesterday. I was wondering what it was about. Where did slashdot get this info? I didn't see it on Mozila's web site yesterday.

    --
    Bradley Holt
    1. Re:Message by druske · · Score: 5, Informative
      The SpreadFirefox team sent this email out to registered users:

      The Spread Firefox Team became aware this week that the server hosting
      Spread Firefox, our community marketing site, has been accessed by
      unknown remote attackers who attempted to exploit a security
      vulnerability in TWiki software installed on the server. The TWiki
      software was disabled as soon as we were aware of the attempts to access
      SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
      did not affect mozilla.org web sites or Mozilla software.

      We have scanned Spread Firefox servers and at this time do not believe
      any sensitive data was taken, but as a precautionary measure we have
      shutdown the site and will be rebuilding the web site from scratch. We
      also recommend that you change your Spread Firefox password and the
      password of any accounts where you use the same password as your Spread
      Firefox account. We will notify you again when the site is back up with
      instructions on how to change your password. (Note: We do use MD5
      hashing on the passwords, but MD5 cannot protect all passwords against
      off-line dictionary style attacks.)

      After Spread Firefox was compromised in July, we instituted procedures
      to ensure that we apply all security fixes to the software running the
      site (Drupal and PHP) as soon as they become available. Unfortunately,
      those procedures overlooked the installation of the TWiki software since
      it is not used by the main Spread Firefox site. When the system is
      rebuilt, all the software will be audited to ensure that security
      updates will be applied in a timely manner. We deeply regret this
      incident and any inconvenience this may have caused you. Sincerely,

      Spread Firefox Team
      Mozilla Foundation
  2. hm by sexyrexy · · Score: 4, Insightful

    OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.

    --

    Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:hm by LnxAddct · · Score: 4, Informative

      This was a problem with one very small portion (twiki) of spreadfirefox. The system was setup regardless so that no user infomration was exposed. Nothing bad happened, spreadfirefox sent out a nice email to all registered users just letting them know that a remote attack was attempted.
      Regards,
      Steve

    2. Re:hm by ArsenneLupin · · Score: 4, Insightful
      the OSS organization is more transparent when bad things do happen

      That's correct. OSS organizations already warn their public if something might have happened to their website.

      Commercial organizations, on the other hand, don't warn their public. There may even be entire herds of goats trampling all over their website, and the public still isn't warned. Instead they quietely chase away the goats, still without a word of explanation to the public. And then completely forget to mend the fence through which the goats entered!

    3. Re:hm by ajs318 · · Score: 4, Insightful

      OSS is inherently more secure than proprietary software.

      Proprietary software authors do not have to do things "properly", they just kludge things together that may or may not work in every possible weirdy case, and rely on nobody ever seeing what an awful job they made of it in the first place. Witness any open source project that used to be closed-source {Mozilla; OpenOffice.org; Solaris}. Open Source developers have to write code that they would not be ashamed to show to anybody, because they do not know who is going to be looking at it. To quote Larry Wall, "Hubris is the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Hence, the third great virtue of a programmer." They also have to write code in such a way that it won't be obvious from inspecting it how to misuse it.

      Morbid curiosity is what makes people look at source code; and there are significantly more good guys than bad, so if anyone is looking at your source code, the chances are that their intentions are honourable.

      --
      Je fume. Tu fumes. Nous fûmes!
  3. Wrong Date by rb2297 · · Score: 5, Informative

    It says the site is down until the 15th not the 19th...

    1. Re:Wrong Date by Anonymous Coward · · Score: 3, Funny

      If we can't trust them about showing correct dates, then for goodness sake, why should we believe there even WAS a security breach?

  4. Not Mozilla software that was hacked by elfguygmail.com · · Score: 3, Informative

    It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.

    1. Re:Not Mozilla software that was hacked by Gaspo · · Score: 3, Insightful

      It's not about the fact that it was a user community, rather than the actual Mozilla.org site that was compromised. From a PR standpoint, the reports will concentrate, I suspect, on the fact that something associated with Mozilla was broken into, and thus will cast the Mozilla Foundation as a whole in a rather negative glow. Hopefully it won't last too long, or perhaps hell will freeze over and accurate reporting will prevail.

    2. Re:Not Mozilla software that was hacked by kccricket · · Score: 3, Informative
      It's not about the fact that it was a user community, rather than the actual Mozilla.org site that was compromised.

      Yeah, except that:
      This exploit was limited to SpreadFirefox.com and did not affect mozilla.org web sites or Mozilla software.
      --
      * chirp * chirp *
    3. Re:Not Mozilla software that was hacked by sprintstar · · Score: 5, Informative

      It wasn't MediaWiki , it was TWiki. They have (AFAIK) nothing to do with each other.

  5. Can you imagine... by SocietyoftheFist · · Score: 3, Insightful

    Shutting your corporate website down for 2 weeks?

  6. Dupe! by Scoria · · Score: 4, Funny

    Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!

    --
    Do you like German cars?
  7. We're done with TWiki by po8 · · Score: 5, Informative

    I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

    Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.

    I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

    1. Re:We're done with TWiki by dbg400 · · Score: 4, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

      I'm running the TWiki Debian packages (from Unstable) but follow the security mailing list and fortunately have patched (just) in time (so far). The first of the two recent vulnerabilities brought an attempted attack on my server around 12 hours after getting the initial email warning.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin

      It's probably not much consolation, but the upcoming Dakar release features a much revised code base with security in mind.

  8. Re:Look out now for the FUD by sumdumass · · Score: 3, Funny

    what does watching an opera have to do with t he interweb thingy?

    Look out i gatta go back to clicking up a storm. They are paying me to surf now :)`

  9. Re:Wow, on the heels of the HP/Netscape news... by LWATCDR · · Score: 3, Informative

    But this isn't the Mozilla project. And Mozilla is inherently safer than IE.
    Why? Because Mozilla isn't port of the OS. Exploits in IE have tended to open up the entire OS to virus and malware. Exploits in Mozilla tend to crash Mozilla. Same thing with Outlook and Thunderbird.
    Finally to answer this statement of yours
    "Wake up kids. They're as fallible as anyone at Microsoft and things like this will happen. Whether it is the browser or the websites hosting or the wikis, or whatever, mistakes are going to be made and patches and corrections will need to be done."
    If you look at the spreadfirefox.org website you will see this statement "This site is not connected to the Mozilla Foundation"
    So... your point is? The cracking of this website that is in not connected to the Mozilla Foundation proves what????

    I agree that Mozilla is not perfect just better than IE.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  10. Re:Wow, on the heels of the HP/Netscape news... by Shaper_pmp · · Score: 3, Insightful

    Right. Of course.

    Because the guys behind Mozilla/Firefox are clearly the same people as those who write TWiki, right? And the guys who run the Firefox marketing site are clearly exactly the same guys who do the hardcore browser development too.

    I'm all for pointing out when anyone fucks up, regardless of if they're saintly Firefox developers or "t3h evil 0ne5" at Microsoft. Nevertheless, if we're going to start pointing fingers at anyone and scoring cheap points, can we at least make sure it's, y'know... their fault?

    Short-sightedly knee-jerking and implying a marketing-run website crack is in any way a reflection of the security of an entirely separate developer-run product is just as bad as the people you're having a go at that think FL/OSS developers' shit smells of roses.

    --
    Everything in moderation, including moderation itself
  11. Re:Here comes the trolls! by kiwimate · · Score: 3, Interesting

    ...this breach was due to poor server administration in that they didn't keep their software patched up to the latest version.

    Yep, agreed.

    Same as the majority * of Microsoft hacks. People not changing their SQL Server sa password from the default, or not applying the patch that blocks that particulary vulnerability that was released by Microsoft six months ago, or...

    * Note: I fully expect someone to come up and say "but what about...". That's why I chose that phrasing. I'm not arguing Microsoft is perfect, and you can certainly argue whether open-source means you get the advantage of transparency **, or whatever your retort may be. But my contention is that the majority of hacks of Microsoft products come down to poor server administration.

    ** Which advantage is also extended to the hackers, of course.

  12. Re:Hmmm... by j-turkey · · Score: 3, Informative

    From the email sent out, it says that:

    We have scanned Spread Firefox servers and at this time do not believe any sensitive data was taken, but as a precautionary measure we have shutdown the site and will be rebuilding the web site from scratch. We also recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

    It seems safe to assume that personal information is a subset of sensitive data, no?

    --

    -Turkey