Share

Firefox zero-days exposed by attack on privileged account

The attack that relied on the stolen information was one that Mozilla patched August 6, after reports surfaced that a Russian news site was serving a Firefox exploit that searched for sensitive files and uploaded them to a server in Ukraine.

Advertisement

Mozilla, creator of the open-source Firefox browser and Thunderbird email client, has confessed to a breach in its bug-tracking system which saw ne’er-do-wells make off with zero-day vulnerabilities.

“The attacker acquired the password of a privileged Bugzilla user, who had access to security sensitive information”, the firm said.

In a seemingly tentative but perfectly understandable step toward its goal of releasing Firefox for Apple devices, Mozilla on Thursday offered its first public preview to iPhone and iPad users in the Pacific nation, population 4.5 million.

Mozilla meanwhile has notified relevant law enforcement authorities of the breach. However, it was reported that the hacker managed to gain access to a range of highly sensitive security information with the acquisition of a high-level account user’s password.

According to the FAQ, access to the privileged account went back at least to September 2014, with some indications that it started a year before that.

Unfortunately, some very irresponsible parties have obtained access to these private bug reports – and, in doing so, ended up with a cache of zero-day vulnerabilities which can be, and are being, exploited in the wild to attack end-users. Although the latest version of Firefox successfully patched 43 of these severe bugs, the last 10 provided the hacker with ample opportunity to target Firefox users.

Mozilla released Firefox 39.0.3 a day later to patch the problem.

“We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type”.

To access the information, the hacker acquired the password of a privileged user of Bugzilla, the tool used to track bugs when they are discovered in order to share information between contributors to the project.

The company said it is “making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in” following this incident.

Advertisement

Mozilla has admitted an attacker was able to access a treasure trove of Firefox bugs and used at least one security vulnerability against users as a result. Barnes also said that Mozilla is “Reducing the number of users with privileged access and limiting what each privileged user can do”.

Hackers Stole Bugzilla To Attack Firefox Users