In a statement Friday, Mozilla disclosed that someone improperly accessed an account on Bugzilla, its open-source bugtracker and testing tool, and stole restricted information about a Firefox vulnerability.
“We are disclosing today that someone was able to steal security-sensitive information from Bugzilla,” Mozilla said. “We believe they used that information to attack Firefox users.”
Mozilla has concluded that a hacker gained knowledge of a now-patched Firefox exploit that left no trace of itself on local machines and targeted Firefox’s built-in PDF viewer. The Android version of Firefox, which does not contain the PDF Viewer, was not vulnerable to the attack.
Props to Mozilla for the transparency about the breach. Hopefully this inspires better practices at other organizations.
— SwiftOnSecurity (@SwiftOnSecurity) September 4, 2015
“We have no indication that any other information obtained by the attacker has been used against Firefox users,” Mozilla said.
The company released a Firefox update on Aug. 27 that fixes all of the vulnerabilities the attacker might have discovered in the bug-tracking database. It also shut down the account that the attacker accessed and implemented new security measures to prevent the breach from happening again. Among the measures: Other users with access to potential Firefox exploits must change their passwords and enable two-factor authentication.
Mozilla is also tightening access to sensitive information. “We are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in,” the company said.
Law enforcement is investigating the breach.
Photo via jalbertbowdenii/Flickr (CC BY 2.0)