Mozilla has admitted an attacker was able to access a treasure trove of Firefox bugs and used at least one security vulnerability against users as a result.
The infiltration did not occur because of a security flaw, however. Instead, it was caused by an attacker getting hold of a Bugzilla password belonging to a privileged user.
Mozilla's Bugzilla is a web-based tracker which allows security staff and developers to keep track of problems with Mozilla products. While much of the information on the platform is public, security-sensitive information -- such as the disclosure of critical security flaws -- is kept only for the eyes of privileged users.
The flaw was patched on August 6, but not before the vulnerability was exploited in the wild. Overall, the hacker accessed 185 non-public bugs -- 110 "protected for reasons other than software security," 22 minor issues and 53 severe vulnerabilities.
Mozilla says there is no evidence other information contained in the portal has been used against Firefox users, and the latest Firefox version, released at the end of August, has fixed all of the vulnerabilities that the attacker learned about and could have exploited.
Mozilla believes the account's password was revealed through a data breach at another unnamed website, and happened to match the Bugzilla account information. While unauthorized access dates back to September 2014, Mozilla believes access may have been gained up to a year earlier. The compromised account in question has been closed and law enforcement has been notified. The firm said:
"Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat. We are also making improvements to Bugzilla to ensure the security of our poducts, our developer community, and our users.
We are updating Bugzilla's security practices to reduce the risk of future attacks of this type."
From now on, Mozilla is ramping up individual account security by forcing privileged users to change their passwords and enable two-factor authentication. In addition, the firm is trimming down the number of users with privileged access and limiting each account -- making the pool of potential victim accounts smaller and limiting how far an attacker could potentially go within the portal if they gain access to an account.
Read on: Top picks
- How to access Wi-Fi anonymously from miles away
- Apple OS X zero-day flaw hands over root access without system passwords
- Getting physical: A $10 device to clone RFID access keys on the go
- Strike the source: RIAA targets BitTorrent protocol to block pirate content
- Three top tips to keep connected cars safe from hackers