Well, wonder no longer: Mozilla just revealed that its bug tracker got compromised and apparently leaked information on critical vulnerabilities. As you may or may not know most of the information available on Bugzilla are public, but only most. I guess you can imagine what the ‘other’ information is about. 😉
Apparently an attacker managed to break into (or rather: get a password of) one of the Bugzilla accounts that are privileged to access said non-public information. According to the Bugzilla FAQ concerning the topic “the earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013.”
The FAQ goes on to explain that “the attacker accessed 185 nonpublic bugs, distributed as follows:
- 110 bugs Protected for reasons other than software security (e.g., proprietary information)
- 22 bugs Minor security issues (seclow or secmoderate)
- 53 bugs Severe vulnerabilities (sechigh or seccritical)
Of these 53 sechigh or seccritical bugs, 43 had already been fixed in the released version of Firefox at the time the attacker found out about them. The information in those bugs likely could not have been used to attack Firefox users”
That would leave “only” 10 bugs that the attacker could have had time to abuse – and he did so with (at least) one of them. Said vulnerability was used to collect private data from Firefox users.
The compromised Bugzilla account has since been shut down and the team is taking steps to be more restrictive when it comes to who can access the security-sensitive information. Account security is also being reevaluated and improved.