Mozilla has admitted that a hacker breached a high level Bugzilla account to steal sensitive security information that was used to actively exploit users of Firefox.
Mozilla disclosed that a hacker was able to access 185 non-public security vulnerabilities and use the information to launch successful attacks on Firefox users in the wild.
Bugzilla is open source software used by developers to track bugs and security problems. It usually restricts access to the security-sensitive information, but Mozilla admitted that a hacker was able to obtain the log-in details of a privileged account in order to harvest data.
“The attacker acquired the password of a privileged Bugzilla user, who had access to security sensitive information,” the firm said.
“Information uncovered in our investigation suggests that the user re-used their Bugzilla password with another website, and the password was revealed through a data breach at that site,” said Mozilla in a FAQ after the hack.
The hacker had access to nearly 200 security bugs, 53 of which were classified as ‘severe’. Of these 53 critical bugs, 43 have been patched in the most recent version of Firefox, but the hacker had a much bigger opportunity to attack users of Firefox in the case of the remaining 10 bugs.
Mozilla said that the “earliest confirmed instance of unauthorised access” occurred in September 2014, although there are indications that the hacker had access to internal systems at least a year before that time.
Mozilla reported that the stolen security information was used by hackers on at least one occasion.
“The largest known impact on users is through the vulnerability we found on 6 August. We know that an attack exploiting that vulnerability was used to collect private data from Firefox users visiting a news site in Russia," the firm said.
"There is no indication that any of the other bugs the attacker accessed have been exploited."
Mozilla released Firefox 39.0.3 a day later to patch the problem.
Daniel Veditz, security lead at Mozilla, said the firm was now taking action to bolster security to prevent a similar breach happening again.
“As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do,” he said.
“In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in."
More recently, Mozilla released Firefox 40.0.3, which it claims addresses “all the vulnerabilities that the attacker learned about and could have used to harm Firefox users”.
The new processors support Intel's Optane memory acceleration technology
Blockchain's killer app is bitcoin, the rest is mostly 'pure marketing', says MaidSafe's David Irvine
Blockchains are not suited to many of the data security purposes being put forward for them
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.