Bugzilla Breached, Private Vulnerability Data Stolen

← Back to Stories (view on slashdot.org)

Bugzilla Breached, Private Vulnerability Data Stolen

Posted by Soulskill on Friday September 4, 2015 @08:57AM from the harvesting-from-the-ripest-bush dept.

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

40 of 97 comments (clear)

Min score:

Reason:

Sort:

Haha. by Anonymous Coward · 2015-09-04 08:59 · Score: 3, Insightful

You just can't make this stuff up.

I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.
1. Re: Haha. by Anonymous Coward · 2015-09-05 00:42 · Score: 2, Interesting
  
  Bugzilla is an especially bad piece of software. I had to use it for years.
  Here's the proof:
  https://bugzilla.mozilla.org/show_bug.cgi?id=540
  This bug was open since 1999 and survived a complete rewrite of bugzilla in a another language. Nice read if you have the time.
  How someone could still use this piece of crap is beyond me. Especially Mozilla.
2. Re:Haha. by Anonymous Coward · 2015-09-05 05:30 · Score: 1
  
  Indeed. I worked for software 'security' startup with security certifications and security is the least important priority. They have documented procedures that are demanded by the customers and they exist purely for show.
  Some examples are:
  - Most developers have full read/write access to customer data and many modify it without telling anyone (procedures require tickets).
  - Vulnerabilities such as XSS are ignored by developers and we have to notify customers within 30 days by contract. Upper management orders to not tell customers.
  - Support and sales share customer passwords over email ... threads get forwarded around with said passwords.
  - Some of the third party libraries versions are up to decade old ... yet still maintained but the dev are afraid to upgrade.
  - Some devs bring code from former employers and are praised for it.
  - Lead devs have no understanding of unittesting and refuse to write them: it is QA job to find bugs.
  And this is happening at a successful 'unicorn' startup, the customers are very large financial companies, health insurances, even foreign government agencies.
  I can only conclude that security certifications are meaningless since the external auditors make no efforts whatsoever to confirm that the procedures are nothing more than TSA theater.
3. Re: Haha. by shonangreg · 2015-09-05 10:13 · Score: 1
  
  I know you geeks can be "eccentric", but I don't think you can pick up girls by claiming the way to fix this is to jog nude.
4. Re: Haha. by Gerv · 2015-09-07 01:05 · Score: 1
  
  There was no issue with the Bugzilla software here; the problem was that a user reused their password on another site, which suffered a breach.
  Gerv
5. Re: Haha. by Gerv · 2015-09-07 01:07 · Score: 1
  
  The bug is unfixed for philosophical reasons, not because it's hard to fix. The Bugzilla developers feel history should be immutable.
  And there has been no rewrite into another language since that bug was filed; Bugzilla as released by Mozilla has always been in Perl.
  Gerv
Interesting Data Point by Bill+Hayden · 2015-09-04 09:09 · Score: 5, Interesting

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

--
Protect your browser with the Force Safe Search add-on
1. Re:Interesting Data Point by Anonymous Coward · 2015-09-04 09:22 · Score: 3, Interesting
  
  What this says to me
  I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.
  It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.
  It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, crude approximation reality.
  (Communists, libertarians, atheist-zealots and God-thumpers can fuck off for the same reasons.)
2. Re:Interesting Data Point by Anonymous Coward · 2015-09-04 09:37 · Score: 4, Insightful
  
  Absolutely true.
  There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.
  Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.
3. Re:Interesting Data Point by Anonymous Coward · 2015-09-04 09:38 · Score: 1
  
  After reading the article it seems like they held up on those last 10 severe vulnerabilities due to potential regressions.
4. Re:Interesting Data Point by radarskiy · 2015-09-04 10:51 · Score: 3, Insightful
  
  "it makes vendors lazy about fixing them"
  You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.
5. Re:Interesting Data Point by DNS-and-BIND · 2015-09-04 21:29 · Score: 3, Insightful
  
  Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
6. Re:Interesting Data Point by citizenr · 2015-09-04 21:39 · Score: 1
  
  "it makes vendors lazy about fixing them"
  You cannot say this without knowing what they were doing instead of fixing these particular bugs.
  we do know, they SAT ON THEM
  
  --
  Who logs in to gdm? Not I, said the duck.
7. Re:Interesting Data Point by amorsen · 2015-09-05 02:06 · Score: 1
  
  They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.
  They made the assumption that undisclosed bugs are unknown to blackhats. As the breach shows, that is a pretty bad assumption.
  Basing importance on the disclosure status is a horrible policy, and the only effective antidote is immediate full disclosure without grace period.
  
  --
  Finally! A year of moderation! Ready for 2019?
8. Re:Interesting Data Point by ioErr · 2015-09-06 21:48 · Score: 1
  
  Most likely referring to this bug or one of its duplicates: https://bugzilla.mozilla.org/s...
Re:Chrome by Anonymous Coward · 2015-09-04 09:14 · Score: 5, Informative

Just one more reason to use Chrome. Firefox hasn't offered anything in years that Chrome doesn't do and does better, and since it's free and open source there's really no reason at all to stick with a legacy browsers.
Chromium is open source. Chrome is not.
*Mozilla* Bugzilla breached. Not all bugzillas by Da+w00t · 2015-09-04 09:21 · Score: 5, Informative

Please update the article title, JFC.

--

da w00t. mtfnpy?
Noticeably absent is WHEN this happened by 93+Escort+Wagon · 2015-09-04 09:38 · Score: 2

Perhaps Mozilla discovered this long ago, but have spent all this time trying to ascertain the political opinions held by the attacker?

--
#DeleteChrome
1. Re:Noticeably absent is WHEN this happened by nickweller · 2015-09-05 01:20 · Score: 1
  
  "The earliest confirmed instance of unauthorized access dates to September 2014" ref
I hate computers by AndyKron · 2015-09-04 09:42 · Score: 1

I'm beginning to hate computers with a passion.
1. Re:I hate computers by amicusNYCL · 2015-09-04 10:03 · Score: 1
  
  Why? Computers only do what the programmers tell them to. What exactly do you hate about them?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:I hate computers by antdude · 2015-09-05 09:47 · Score: 1
  
  Same here. I used to love computers, but these days I care not for them. Looking at the recent and newer stuff don't excite me anymore like those mobile, GUI, so many bugs, lack of support, security, so many updates, etc. Maybe it is my old age. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
3. Re:I hate computers by antdude · 2015-09-05 09:49 · Score: 1
  
  Same here. It amazes me how easy they break in software and hardware. They're getting too complex. I prefer older stuff that just work well. :/
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Bugzilla by allo · 2015-09-04 09:52 · Score: 1

Nomen est Omen.
A return to priorities? by SeaFox · 2015-09-04 10:01 · Score: 2, Insightful

Gee Mozilla. Better get to work fixing those 185 vulnerabilities now, instead of sitting on them while you work on copying Chrome's look and feel or think of new unrelated tech ventures to get involved in.
1. Re:A return to priorities? by F.Ultra · 2015-09-04 11:59 · Score: 2
  
  Apparently most of the have been fixed a long time ago, the rationale behind the 185 number is that the account was compromised back in September 2013 and according to the user history he had looked at 185 bugs during that time frame.
2. Re:A return to priorities? by tajribah · 2015-09-04 18:28 · Score: 1
  
  The single fact that there was a high-security bug unfixed for at least 335 days (as admitted by Mozilla's FAQ) tells that there was something very seriously wrong in Mozilla's handling of security vulnerabilities. That is the reality and it should be passed around.
3. Re:A return to priorities? by Lennie · 2015-09-05 04:20 · Score: 1
  
  Do you really believe you can easily find developers that are really good at security code auditing and fixing security issues or use other developers and let them fix these security issues. I don't think these things are related.
  
  --
  New things are always on the horizon
4. Re:A return to priorities? by tajribah · 2015-09-05 04:29 · Score: 1
  
  I accept that some security bugs can be hard to fix. Still, it gives a clear message about the values held by the organization if copying Chrome's UI has higher priority than fixing security bugs.
5. Re:A return to priorities? by SeaFox · 2015-09-05 09:10 · Score: 1
  
  Firefox isn't one of those volunteer-staffed community projects. It has a large non-profit with paid developers backing it. Given all the people that use Firefox on a day-to-day basis to carry out sensitive health and financial-related tasks online, is it wrong to think Mozilla should hire a security-focused developer into the fold?
6. Re:A return to priorities? by tajribah · 2015-09-08 09:47 · Score: 1
  
  Well, yes and no... Within a year, almost anybody can learn to fix a garbage collector.
Re:Lol by bob_super · 2015-09-04 10:02 · Score: 3, Interesting

Noscript + adblock + ghostery + gestures + faviconizetab + tabmixplus + Not_from_Google + Not_from_Apple + Not_from_MS + ...
Flip side: Higher priority bugs remain unfixed by davidwr · 2015-09-04 10:33 · Score: 4, Insightful

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them
A better way of saying what really happened:

... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If they would FIX bugs, this would not happen by swschrad · 2015-09-04 10:35 · Score: 1

Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
And tonight, somewhere, an NSA agent ... by davidwr · 2015-09-04 10:45 · Score: 2

... is crying.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
When SJW diversity trumps competency... by sethstorm · 2015-09-04 18:31 · Score: 1

...this kind of thing will happen. Hopefully they're competent enough to fix it.

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Re: Chrome by amorsen · 2015-09-05 02:00 · Score: 1

The Fedora build of Firefox is certainly built from source. It is still called Firefox.
Fedora is discussing whether it is feasible to continue with Firefox-branded Firefox due to the new signed-addon policy. But for now, you can certainly get your open source Firefox fix that way.

--
Finally! A year of moderation! Ready for 2019?
Re:Chrome by Lennie · 2015-09-05 04:16 · Score: 1

And without Firefox lots of things Chrome/Chromium/Opera doesn't get to be standards.
Because it's Firefox (gecko) and Chrome/Chromium/Opera (blink) are ahead of the pack. You need at least 2 browser (engine) implementations to make a standard.
I would prefer multiple open source implementations and standards and not just a single open source implementation.
Standards is the only way how we can get rid of things like Flash.

--
New things are always on the horizon
"Breached" by Linkreincarnate · 2015-09-05 05:06 · Score: 1

In completely unrelated news their bank account was also breached when a literal ton of money was deposited by Five Eyes.
Re: Chrome by Gerv · 2015-09-07 01:09 · Score: 1

The code for the DRM module Firefox uses is not part of the Firefox build system, but is downloaded at runtime. This can be done whether it's a Firefox built by Mozilla or not. So the DRM question has no bearing on whether you can call your version Firefox or not.
This series of blog posts: http://blog.gerv.net/2010/01/p... explains why Mozilla doesn't let just anyone call their modified version "Firefox".
Gerv