Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugzilla Breached, Private Vulnerability Data Stolen

Posted by Soulskill on from the harvesting-from-the-ripest-bush dept.

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

6 of 97 comments (clear)

  1. Haha. by Anonymous Coward · · Score: 3, Insightful

    You just can't make this stuff up.

    I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.

  2. Re:Interesting Data Point by Anonymous Coward · · Score: 4, Insightful

    Absolutely true.

    There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.

    Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.

  3. A return to priorities? by SeaFox · · Score: 2, Insightful

    Gee Mozilla. Better get to work fixing those 185 vulnerabilities now, instead of sitting on them while you work on copying Chrome's look and feel or think of new unrelated tech ventures to get involved in.

  4. Flip side: Higher priority bugs remain unfixed by davidwr · · Score: 4, Insightful

    The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them

    A better way of saying what really happened:

    ... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Re:Interesting Data Point by radarskiy · · Score: 3, Insightful

    "it makes vendors lazy about fixing them"

    You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

  6. Re:Interesting Data Point by DNS-and-BIND · · Score: 3, Insightful

    Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!