Mozilla improves Security for Bugzilla after security breach

Firefox development relies largely on Bugzilla, a bug tracking application that Mozilla developers use to keep track of the development of features and changes in the Firefox web browser.

Most bug listings are accessible by the public, an account is not needed for read access. Only security-sensitive information are not accessible publicly as criminals could use them to create exploits and target Firefox users before patches hit the browser.

Security-sensitive information are only accessible by privileged users and while that keeps unauthorized users at bay, it is not a 100% protection against unauthorized access.

Mozilla revealed today that an attacker managed to steal security-sensitive information from Bugzilla and used the information to attack users of the Firefox browser in the process.

The attacker managed to take over a privileged account to gain access to security-sensitive information on Bugzilla. Mozilla believes that the attacker used the information to exploit a vulnerability in Firefox (which was patched by Mozilla in the meantime).

The attacker managed to access 186 non-public bugs on Bugzilla of which 53 were listing sever vulnerabilities and 22 minor security issues. Of those 53 severe ones, 43 had already been patched by Mozilla which left 10 security related bugs with a window of time to target Firefox users.

All vulnerabilities have been patched on August 27  in release versions of Firefox with the release of Firefox 40.0.3.

Mozilla improved security for Bugzilla as a response to the attack which protect privileged accounts and the information these accounts have access to.

Here is what Mozilla did in detail

Make all users with privileged access change their passwords.

Enforce 2-factor authentication for all privileged accounts.

Reduce the number of privileged users.

Limit what privileged users can do.

In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.

The linked FAQ reveals additional details about the attack. The attacker gained access to Bugzilla as early as September 2013. Information gathered by Mozilla suggest that access to the password was gained on another site the same password was used on.