Unknown Attacker Creeps into Bugzilla-the Open-Source Bug-and-Change Tracker

By CIOReview | Wednesday, September 23, 2015

FREMONT, CA: Bugzilla, the open-source bug-and-change tracking database that Mozilla's developers use to log issues, has been accessed by an unknown attacker and information regarding 53 vulnerabilities was stolen; out of which at least one has been used to attack Firefox users.

Bugzilla generally discusses options before making changes as bugs are open to public; but some bugs, especially the ongoing security fixes are open to privileged account holders only.

The attack relied on the patch Mozilla released on August 6 2015, after reports specified that a Russian news site searched for sensitive files and uploaded them to a server in Ukraine. The developer had stolen files related to developer tools. The attacker was looking for information to understand the bugs uncovered on Bugzilla.

It has been spotted that the access to privileged account was taken way back in September 2014 and the attack was started a year before that. Mozilla says that out of the 53 critical vulnerabilities that were accessed by the hacker, 43 were already fixed; 3 of the remaining 10 were open, that is patch were being worked on and not yet issued. The attacker is suspected to have utilized the vulnerability entry of Bugzilla that was unhandled for 36 days.

The open-source developers/community has taken necessary steps to secure Bugzilla in the form of security-sensitive information to reset password, two-factor authentication and others. Richard Barnes, Security Lead, Mozilla explains that the company has also begun to reduce the number of users with privileged access and limit the access on what each privileged user can do.

Mozilla has advised the users to update the browser to Firefox 40, which has all the vulnerabilities patched for a secured browsing experience.