Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugzilla Breached, Private Vulnerability Data Stolen

Posted by Soulskill on from the harvesting-from-the-ripest-bush dept.

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

5 of 97 comments (clear)

  1. Interesting Data Point by Bill+Hayden · · Score: 5, Interesting

    The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

    --
    Protect your browser with the Force Safe Search add-on
    1. Re:Interesting Data Point by Anonymous Coward · · Score: 3, Interesting

      What this says to me

      I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.

      It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.

      It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, crude approximation reality.

      (Communists, libertarians, atheist-zealots and God-thumpers can fuck off for the same reasons.)

  2. Re:Lol by bob_super · · Score: 3, Interesting

    Noscript + adblock + ghostery + gestures + faviconizetab + tabmixplus + Not_from_Google + Not_from_Apple + Not_from_MS + ...

  3. Re:A return to priorities? by Anonymous Coward · · Score: 0, Interesting

    I work for Mozilla. So I am really getting a kick out of most of these replies. Some of you guys are very good at making it sound like you know what you are talking about. But trust me.... You don't. I think you just want to make yourself sound smart, when in reality you don't know what you are talking about. This is how bad info gets passed around. If you don't know about the topic....Don't make yourself sound like you do. Because some Slashdotters believe anything they hear.

  4. Re: Haha. by Anonymous Coward · · Score: 2, Interesting

    Bugzilla is an especially bad piece of software. I had to use it for years.

    Here's the proof:
    https://bugzilla.mozilla.org/show_bug.cgi?id=540

    This bug was open since 1999 and survived a complete rewrite of bugzilla in a another language. Nice read if you have the time.

    How someone could still use this piece of crap is beyond me. Especially Mozilla.