Hacker had access to sensitive info about Firefox bugs for over a year
Mozilla has announced on Friday that an attacker managed to access security-sensitive information about a considerable number of (at the time) unpatched Firefox vulnerabilities, and that there is evidence that at least one of them has been exploited in attacks in the wild.
The breach didn’t happen because there is a critical vulnerability in Mozilla’s Bugzilla web-based bugtracker, but because the attacker managed to get hold of a privileged users’ account password, as the user re-used it on another website that has been breached.
“The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013,” Mozilla explained in a FAQ.
The attacker accessed 185 nonpublic bugs. Of these, 53 were severe vulnerabilities, and “43 had already been fixed in the released version of Firefox at the time the attacker found out about them.”
Of the remaining 10, 2 were fixed less than 7 days after the attacker accessed information about them, 5 were fixed in a period between 7 and 36 days, and the remaining 3 were fixed 131, 157 and 335 days after, respectively.
“It is technically possible that any of these bugs could have been used to attack Firefox users in the vulnerability window. One of the bugs open less than 36 days was used for an attack using avulnerability that was patched on August 6, 2015,” Mozilla noted. ”Other than that attack, however, we do not have any data indicating that other bugs were exploited.”
Of course, attacks exploiting some of those other bugs could have been so limited that they were never noticed by users or flagged by security researchers.
The good news is that the breach forced Firefox to get a move on fixing those remaining issues, and they did so with Firefox 40.0.3, which was released on August 27. Users who haven’t yet updated to this version would do well to do it now.
Mozilla has also introduced several changes that should make attacks like this one impossible or at least less likely: they have reset passwords for all privileged users and have mandated they begin using two-factor authentication to log into Bugzilla, and they limited the amount of information privileged users can access.