Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’s account by using a password taken from a data breach on a separate site.
The attacker may have known who he was hitting, because the target was a privileged user who had restricted access to sensitive information about security bugs in Mozilla products. Bugzilla is the big-tracking system used by Mozilla for its various projects, and while much of the information is public, a subset of it is kept private. Specifically, information about security flaws that are in the process of being fixed or evaluated is kept private until a patch is available or the company decides not to fix it.
Mozilla officials say the attacker in this instance may have had access to the victim’s account since September 2013. The earliest confirmed access was in September 2014. Once in the victim’s account, the attacker apparently was able to steal information about a Firefox vulnerability that Mozilla fixed last month, but only after an exploit for it was seen in the wild.
“The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised. We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6. We have no indication that any other information obtained by the attacker has been used against Firefox users. The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,” Richard Barnes of Mozilla said in a blog post explaining the attack.
The bug that Mozilla officials believe the attacker stole information on was patched on Aug. 6. It was related to the way the browser handled the same origin policy in some cases. Mozilla found out about the flaw after a user was compromised with it by visiting a Russian news site that was serving ads with exploit code in them.
Mozilla officials said that the attacker who gained access to the Bugzilla system ultimately had access to 185 separate bugs, including 53 severe security vulnerabilities. The good news is that 43 of those 53 flaws already had been fixed by the time the attacker got to them. But, the remaining 10 still were available for exploit.
From the Mozilla FAQ on the attack:
“For the remaining 10 bugs, the attacker had some window of time between when the bug was accessed and when it was fixed in Firefox:
2 bugs Less than 7 days
5 bugs Between 7 days and 36 days
3 bugs More than 36 days (131 days, 157 days, 335 days)
The company said that while the attacker could have used any of these vulnerabilities to attack users, the only known attack was the one exploiting the bug patched last month.
“It is technically possible that any of these bugs could have been used to attack Firefox users in the vulnerability window. One of the bugs open less than 36 days was used for an attack using a vulnerability that was patched on August 6, 2015. Other than that attack, however, we do not have any data indicating that other bugs were exploited,” the FAQ says.