It is guessed that the hackers may have known about the unpatched zero-day bugs in the Firefox web browser for a year or more. According to Mozilla, the attacker was able to breach a user’s account that had privileged access to Bugzilla, including the non-public zero-day flaw information.
“There are some indications that the attacker may have had access since September 2013,” the nonprofit added in an FAQ [PDF] about the security breach. This means that before the holes were patched, the hackers had enough time to make full use and enjoy benefit from the software flaw.
The hacker had gained access to approximately 185 secret bugs that were non-public, according to the FAQ. Of those bugs, Mozilla considered 53 as “severe” vulnerabilities. It is said that the oldest bugs were not patched until 335 days or more, which means that the hackers had more than 11 months to exploit the vulnerabilities before it was fixed by the Mozilla developers.
By the time, the hacker broke in, 43 of the severe flaws had already been patched in the Firefox browser claims Mozilla. However, the risk to Firefox lies in the remaining 10 bugs that the hacker had access to before they were fixed.
On the breach, Mozilla stated in an FAQ “One of the bugs [opened]less than 36 days was used for an attack using a vulnerability that was patched on August 6, 2015. Other than that attack, however, we do not have any data indicating that other bugs were exploited.”
The one bug that the hacker made full use of and benefited from it was to collect private data from a Russian news site visited by Firefox users.
However, the interesting part of the Mozilla Bugzilla breach was that it did not require the hacker to know about any zero day flaw to compromise Bugzilla and still the hacker was able to learn about new Firefox zero-day flaws.
“Information uncovered in our investigation suggests that the user reused their Bugzilla password with another website, and the password was revealed through a data breach at that site,” Mozilla’s FAQ stated.
That means that looks like someone had a password that then should not have access to or maybe a weak one, or possibly reused on another compromised website. Overall, password reuse is a huge problem, which is why both Google and Facebook in an effort to protect their users from breaches regularly look at password dumps.
Firefox’s Security Lead Richard Barnes wrote in detail as to what Mozilla is doing to improve Bugzilla’s security in a blog post on Friday.
“We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication.”
Adding further, Barnes said that there also new limits being placed on what each level of privileged user can access, so that if an account is compromised in future, the hacker would not be able to access as much data.
“We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations,” Barnes said.
It comes as a surprise as to why previously Mozilla did not comply with the two-factor authentication for its sensitive information as without it, all the hacker needed to gain access was one set of credentials.
The latest version of Firefox released last week has fixed any problems that might have been accessed by the hacker in the past. This comes as a good news to Firefox users and one hopes that Mozilla will now be more serious about their own security than ever before.