Mozilla Bugzilla data breach leaked zero-days

Open source organisation Mozilla has revealed its 'Bugzilla' bug tracking repository was compromised and leaked information on critical vulnerabilities, at least one of which was used to attack Firefox users this year.

One of Mozilla's head security engineers, Richard Barnes, wrote in a blog post that an attacker broke into a privileged user account, and downloaded flaws and security sensitive information about vulnerabilities in the Firefox web browser and other products.

Security sensitive information is kept under wraps in Bugzilla by Mozilla until the vulnerabilities are patched. The compromise has seen a total of 185 non-public bugs leaked.

Of these, 53 were rated as sec-high or sec-critical. Just 10 were unpatched in the current version of Firefox at the time of the data breach.

One vulnerability that allowed attackers to steal files from Firefox users is believed to have been exploited. That flaw was patched in August this year.

Barnes said the attacker got in relatively easily, by acquiring the password of a privileged user who had re-used a password from another site that had suffered a data breach, which was also on Bugzilla.

The unnamed attacker had access at least since September last year, Mozilla's investigation into the data breach showed. However, it also suggested it was possible the breach could date back as far as a year earlier.

Mozilla's security team said it was technically possible any of the 10 bugs could have been used to attack Firefox users while they remained unpatched in the browers.

Three bugs were unpatched for 131, 157 and 335 days respectively. All exploitable vulnerabilities leaked in the incident were patched in the the updated version of Firefox released on August 28 Australian time.

Users who have access to security sensitive information in Bugzilla have been asked to change their passwords immediately.

Barnes said privileged users now must utilise two-factor challenge and response authentication for added security. Mozilla is also cutting down on the number of users who have privileged access, and reducing what they can do in Bugzilla.

The measures make it harder to break into the bug tracker, Barnes wrote, and also limit the amount of information an attacker can obtain in the case of a successful compromise.