One password gifts hacker with hundreds of Firefox bugs, vulnerabilities

An attacker has launched at least one exploit against Firefox users after compromising a privileged account.
Written by Charlie Osborne, Contributing Writer

Mozilla has admitted an attacker was able to access a treasure trove of Firefox bugs and used at least one security vulnerability against users as a result.

The infiltration did not occur because of a security flaw, however. Instead, it was caused by an attacker getting hold of a Bugzilla password belonging to a privileged user.

Mozilla's Bugzilla is a web-based tracker which allows security staff and developers to keep track of problems with Mozilla products. While much of the information on the platform is public, security-sensitive information -- such as the disclosure of critical security flaws -- is kept only for the eyes of privileged users.

Herein lies the problem. In the interest of transparency, Mozilla has revealed someone was able to steal this information in order to attack Firefox users. Last week, the company revealed in a bulletin that a privileged user account was compromised, resulting in the theft of data relating to a same origin policy vulnerability which could allow JavaScript payloads to be executed into local files, potentially resulting in the loss of sensitive data.

The flaw was patched on August 6, but not before the vulnerability was exploited in the wild. Overall, the hacker accessed 185 non-public bugs -- 110 "protected for reasons other than software security," 22 minor issues and 53 severe vulnerabilities.

Mozilla says there is no evidence other information contained in the portal has been used against Firefox users, and the latest Firefox version, released at the end of August, has fixed all of the vulnerabilities that the attacker learned about and could have exploited.

Mozilla believes the account's password was revealed through a data breach at another unnamed website, and happened to match the Bugzilla account information. While unauthorized access dates back to September 2014, Mozilla believes access may have been gained up to a year earlier. The compromised account in question has been closed and law enforcement has been notified. The firm said:

"Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat. We are also making improvements to Bugzilla to ensure the security of our poducts, our developer community, and our users.

We are updating Bugzilla's security practices to reduce the risk of future attacks of this type."

From now on, Mozilla is ramping up individual account security by forcing privileged users to change their passwords and enable two-factor authentication. In addition, the firm is trimming down the number of users with privileged access and limiting each account -- making the pool of potential victim accounts smaller and limiting how far an attacker could potentially go within the portal if they gain access to an account.

10 steps to erase your digital footprint

Read on: Top picks

Editorial standards