Sensitive information was stolen from Mozilla’s private vulnerability database that is run by Mozilla’s Bugzilla tracking system and used the stolen information to begin launching active attacks against the FireFox browser, the company warned Friday.
In an FAQ published [PDF] alongside Mozilla’s blog post said that the information stolen appeared to stem from a privileged user account that had been compromised by the attacker. Their account was stolen due to the individual re-using their Bugzilla password on another website that had presumably suffered a data breach, resulting in their email and password combination being leaked publicly. According to the company, the attacker was able to access the account and “download security-sensitive information about flaws in Firefox and other Mozilla products.”
Mozilla added the attacker gained access to 185 non-public Firefox bugs, of which 53 were marked “severe vulnerabilities.” Another set of 10 vulnerabilities were stolen at the time, while the remainder of stolen bugs were patched in Mozilla’s most recent Firefox release.
Of the ten bugs, the company believes the attacker has actively abused at least one of the bugs to exploit Firefox. Mozilla warned of the vulnerability back in August, alerting Firefox users that “an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.” That specific vulnerability was patched later that month on August 6.
Mozilla assured all users that no proof has come forward of the attacker actively exploiting any of the other stolen vulnerabilities. The company then added they “fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,” with a scheduled Firefox release coming August 27.
The open-source browser noted that the attacker in this instance may have had unauthorized access to Bugzilla’s private vulnerability database as early as September 2014 but continued on to add the attacker could have had access to the database as early as September 2013. Information released by the browser doesn’t mention details on how they discovered the unauthorized access in their Bugzilla database, but did say when they caught it they immediately shut down the account and contacted a third-party security team to perform a forensic investigation.
“We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type,” Mozilla wrote in their disclosure. “As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication.”
Taking proactive action to ensure this doesn’t happen again, Mozilla confirmed they are “reducing the number of users with privileged access and limiting what each privileged user can do.”