Mozilla yesterday said an unknown attacker accessed its Bugzilla bug-and-change tracking database, stole information about 53 critical security vulnerabilities, and used at least one of those flaws to attack Firefox users.
Bugzilla is the open-source tracker that Mozilla's developers -- both paid and volunteer -- use to log issues, whether security related or not; discuss different options before making changes; and pass potential fixes back and forth. Normally, bugs are open to the public, but some, especially ongoing security fixes, are accessible only to privileged account holders.
Entries on critical bugs are blocked to all but privileged accounts long after a fix has been released to ensure that the bulk of Firefox users have installed the patch.
"An attacker was able to break into a privileged user's account and download security-sensitive information about flaws in Firefox and other Mozilla products," Mozilla said Friday in an FAQ about the breach (download PDF). "Information uncovered in our investigation suggests that the user re¬used their Bugzilla password with another website, and the password was revealed through a data breach at that site."
"We believe they used that information to attack Firefox users," added Richard Barnes, a co-lead of the Mozilla security team, in a post to a company blog yesterday.
The attack that relied on the stolen information was one that Mozilla patched Aug. 6, after reports surfaced that a Russian news site was serving a Firefox exploit that searched for sensitive files and uploaded them to a server in Ukraine. The attacker had focused on purloining files related to a number of developer tools. In hindsight, the targets of that attack now make more sense; presumably, the attacker was looking for information to better leverage the bug uncovered on Bugzilla, or locate additional vulnerabilities developers were discussing.
The FAQ spelled out in detail Mozilla's take on the timeline of the breach and its impact.
According to the FAQ, access to the privileged account went back at least to September 2014, with some indications that it started a year before that.
Not all 53 critical security vulnerabilities the attacker scouted were of use; Mozilla said that 43 had been patched by the time the hacker gained access to Bugzilla. Three of the remaining 10, however, were open -- in other words, being worked on, with a patch yet not issued -- for between 131 and 335 days.
The Bugzilla entry on the single vulnerability definitely used by the thief was open for 36 days, Mozilla said.
The open-source developer has taken steps to secure Bugzilla, including requiring those with access to security-sensitive information to reset their passwords and adopt two-factor authentication. Barnes also said that Mozilla is "Reducing the number of users with privileged access and limiting what each privileged user can do."
The incident isn't the first problem with Bugzilla. Last year, tens of thousands of Bugzilla users' email addresses and encrypted passwords were exposed on a publicly-accessible server for as long as three months. Also in 2014, Bugzilla was patched to lock down a privilege escalation vulnerability that could have let unauthorized users gain administrative access.
Mozilla urged Firefox users to update the browser to Firefox 40, which was released Aug. 27, as that version patched all remaining vulnerabilities the attacker accessed.