Using data and information obtained through another hack, hackers were able to target Mozilla Firefox users through vulnerabilities in the popular browser. What is most interesting about this whole debacle, however, was that the attackers first hacked Bugzilla, Mozilla’s bug and vulnerability tracking system to find working exploits.
Bug trackers and vulnerability databases serve important roles in maintaining secure software. As researchers and whitehats find and discover bugs and vulnerabilities, they report it to either a third party or directly to the vendor. In this case, it was through Bugzilla to Mozilla. This allows a common platform to share the information required to demonstrate and fix the bug. Even if there is no outside facing infrastructure to report bugs, more developers probably have their own internal system for keeping up with, detailing and cataloguing bugs. For widely popular software, an attacker may not need to spend time researching their own zer0-days. Instead, they can simply hit one of these bug repositories and grab a whole host of vulnerabilities and use them as needed before they are patched.
In this case, Bugzilla got hit via as a privileged user account had the same password for Bugzilla as on another site that got hacked. Due to this, attackers were able to break into Bugzilla undetected for at least a year. They managed to get away with 185 non-public vulnerabilities of which 10 were unpatched at the time. Given how many users tend not to patch, and that Mozilla is unsure when the attackers first got in, it’s possible many users were vulnerable. In fact, one of the vulnerabilities was exploited widely for a while. In response, Mozilla is implementing steps to shore up security by things like restricting access and two-factor authentication.
Once again, it shows that security can be pretty hard and even systems introduced to better protect users can severely backfire. Given the wealth of information stored within bug repositories on various vulnerabilities, they can become a juicy target for blackhats. Just like major retailers and the recent US government data breaches, the sensitive information means these systems are guaranteed to be attacked at some point. Another major lesson is that if you want good security, not reusing passwords, keeping patched and using two-factor authentication is key.