Bugzilla Bug Tracker Was Key to Recent Firefox Security Snafu

The Bugzilla bug tracker has been a major part of how Mozilla has kept Firefox secure and stable for a long time, but according to the company, it was also the key to a recent attack on Firefox browser users. "An attacker was able to break into a privileged user's account and download security-sensitive information about flaws in Firefox and other Mozilla products," Mozilla said Friday in an FAQ about the security snafu (PDF doownload available). "Information uncovered in our investigation suggests that the user re¬used their Bugzilla password with another website, and the password was revealed through a data breach at that site."

Here are more details.

"We believe they used that information to attack Firefox users," wrote Richard Barnes, a member of the Mozilla security team, in a blog post. "Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat.  We are also making improvements to Bugzilla to ensure the security of our products, our developer community, and our users."

The blog post added:

"The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised.  We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6.  We have no indication that any other information obtained by the attacker has been used against Firefox users.  The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users."

"We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication."

 Bugzilla has been compromised before. Last year, it was the key to the release of private information affecting thousands of users.