Unnoticed Firefox attacker had access to severe vulnerabilities for over a year

Bug

Bug

An attacker with access to security-sensitive information about the Firefox web browser went unnoticed for up to two years, putting hundreds of millions of users at risk.

The attacker was able to spy on highly sensitive information by gaining access to a privileged account on Bugzilla@Mozilla, the bug tracking software the Mozilla corporation uses to store information about flaws in its software.

The company behind the popular web browser has revealed details of the breach in an FAQ document. It explains that the attacker gained access to information about 185 non-public bugs, of which 53 were classed as severe vulnerabilities.

Ten of those severe vulnerabilities were not fixed when the attacker became aware of them, meaning that they could have been used to attack Firefox, and at least one of them was used in-the-wild.

The window of opportunity to successfully exploit that bug was less than 36 days, but three of the bugs were known to the attacker and un-patched for far longer; two for more than 130 days and one for almost a year.

In the face of such an open window of opportunity, Mozilla’s boilerplate assurance that “there is no indication that any of the other bugs the attacker accessed have been exploited” isn’t very reassuring – absence of evidence is not evidence of absence after all.

Mozilla’s bug tracking system appears to have been infiltrated because of password reuse by one of its privileged users.

The attacker acquired the password of a privileged Bugzilla user, who had access to security sensitive information. Information uncovered in our investigation suggests that the user reused their Bugzilla password with another website, and the password was revealed through a data breach at that site ... There are some indications that the attacker may have had access since September 2013.

When a website is compromised and users’ passwords are exposed, the attackers behind the breach will often try those same passwords on a range of other sites, making it imperative to never use the same password twice.

💡 Learn more: Picking proper passwords ►

We don’t know which site the user’s password was originally stolen from but the timing fits with a very high profile hack indeed. In September 2013 Adobe suffered a giant data breach, losing about 150 million records, including a vast trove of passwords that hadn’t been stored properly.

💡 Learn more: Storing passwords safely ►

As you might expect, Mozilla has responded to the exposure of this highly sensitive data by beefing up its security:

Passwords have been reset for all privileged users, and going forward, all privileged users will be required to use two factor authentication to log in to Bugzilla. Second, we are reducing the access that each Bugzilla user is granted in order to limit the amount of information that could potentially be exposed in the event of unauthorized access. Third, we are increasing the amount of auditing we do on the actions of privileged users so that we can detect suspicious activity more quickly and accurately.

With so much malware being distributed via compromised websites, web browsers have been at the security sharp end for years and, by and large, they enjoy a solid reputation for seeking out and dealing with security issues.

Which makes it all the more surprising, and more than a little disappointing, that this attack might have been prevented with some fairly basic password best practice.

If the user in question hadn’t reused their password then the attacker would not have had an opportunity to access Bugzilla. And if Bugzilla had been equipped with two-factor authentication (2FA), an attacker with the right password could still have been thwarted.

💡 Learn more: 2FA – the options ►

If you are a Firefox user and you are using the latest version of the software then you are not at risk from any of the vulnerabilities the attacker had access to. If you are not using the latest version, update now!

Understanding Two-factor Authentication

Listen to our Sophos Techknow podcast

(Audio player above not working? Download, or listen on Soundcloud.)


Image of a bug courtesy of Shutterstock.