back to article Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them

Hackers have known about unpublicized and unpatched critical security holes in the Firefox web browser for a year or more – all by invading Mozilla's systems. The Mozilla Foundation admitted on Friday that a privileged account on Firefox's Bugzilla bug-tracking software has been compromised since at least September 2014. Said …

  1. Anonymous Coward
    Anonymous Coward

    "We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations," Barnes said.

    They already knew...

    Tinfoil hat time...

  2. jonnycando
    Facepalm

    This is getting.....

    Far and away too common.

  3. Anonymous Coward
    Anonymous Coward

    1. High value target hacked.

    2. May have lasted years.

    3. Profit!

    I'll skip the obligatory XKCD. The Mozilla Foundation suffers from the illusion that some combination of security procedures is going to prevent just this event into the future. The attacker need only succeed once, the defender always. So, good luck with that.

    1. Anonymous Coward
      Anonymous Coward

      This is a combination of:

      1. Storing extremely high-value information on a server

      2. ...which is directly accessible to anyone on the Internet

      3. ...protected by nothing more than username and password

      In this context, "high-value" includes "allowing an attacker to take over Internet banking accounts and directly steal money from victims"

      Epic fail.

      1. Frumious Bandersnatch

        Storing extremely high-value information on a server

        I have to downvote your there, AC. How is anyone supposed to get any work done these days if they can't collaborate and share crucial development info over the net? Especially something like open source tools where (presumably) developers are spread around the world?

        Could you suggest a way for them to share info that will be 100% secure? Of course not. We're all human and susceptible to making mistakes every now and then that can let the bad guys breach almost any "secure" system.

        1. Anonymous Coward
          Anonymous Coward

          Ever heard of VPN / SSH tunnels, leaving stuff like this only accessible to those inside the network? Or at least two factor auth at the very minimum.

  4. fearnothing

    Zero day heaven.

  5. Anonymous Coward
    Unhappy

    The oldest of those went unpatched for 335 or more days...

    I think this just about says it all.

    1. Anonymous Coward
      Anonymous Coward

      Re: The oldest of those went unpatched for 335 or more days...

      On a side note, has anyone been able to extract a full username/password out of the frame padding by using a sniffer? The most I ever extracted was 4 characters*, but then I wasn't really trying.

      * I knew what the password was, it was mine.

  6. John Smith 19 Gold badge
    Unhappy

    Obvious really.

    Want to know how to hit a high value building.

    Raid the insurance company for the vulnerability report. *

    Want to hit some high value software.

    Hit their bug tracking .

    You've got to ask how many other projects have been infiltrated this way.

    *AFAIK first mentioned in the novel "The Consultant" in the late 70's, also "Absolute Power."

    1. Pascal Monett Silver badge

      Yes, but who wants to know ?

      I don't think this is the kind of activity a script kiddie would undertake. This is more what a criminal organization would do, rationalize the process and hack the weakest link to maximize profits later.

      1. Sir Runcible Spoon

        Sir

        It's a common mistake that can often be overlooked when people have the mind-set for fixing one type of problem (they miss the obvious weak-spot).

        For example, I am currently working on building a security platform for a customer which involves collecting and analyzing data from all parts of the network in order to make it more secure.

        This platform then becomes the #1 target for any infiltrator because it contains all the information you would ever need to hack into the more sensitive parts of the environment, especially the bits that haven't been sorted out yet*

        Therefore as much effort has gone into securing the platform as it has developing the tools to map the network - but not everyone does this - it isn't cheap.

        *due to the scale of the mountain

  7. Henry Wertz 1 Gold badge

    Full diclosure

    Welp, I'm a believer in full disclosure anyway. And this provides another good reason for this -- if blackhats will get ahold of the exploits anyway*, then the other users may as well get a fair chance to see just what they are currently vulnerable (and possibly be able to mitigate it instead of just being left in the dark.)

    *Even if you pretend they can get perfect security, there's nothing stopping a bug report from getting to the vendor AND to the blackhat community.

  8. Destroy All Monsters Silver badge
    Paris Hilton

    Prezero-day exploits.

    This should be illustrated with the picture of Donald Duck accidentally hanging himself in "The Hockey Champ"

  9. x 7

    we've said it before, and I'll say it again......why don't they just concentrate on fixing the browser and making it secure, rather than introducing unwanted crap features and facelifts, and messing around with a mobile phone OS that nobody wants and noone is going to use?

    the world needs a secure browser thats independent of the major companies (aka scam merchants). It doesn't need a new phone OS that isn't going to be used by anyone....

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Yup. Despite lots of clever people pointing this out to him at the time, Eich managed to get that completely the wrong way round - and practically single handedly fucked the internet in the process. Considers himself an "evangelist" and bent Mozilla over for Google in exchange for funding his worthless braindead whimsy. The twat. "Privacy/security isn't exciting - no-one cares." Eich! The worst thing that ever happened to the web.

      1. Pascal Monett Silver badge

        Re: Privacy/security isn't exciting - no-one cares

        One look at Facebook and you'll have to agree, he was unfortunately right.

    3. Kiwi

      It doesn't need a new phone OS that isn't going to be used by anyone....

      Somehow reminds me of that famous quote from some fella who worked at IBM.. Something about 6 computers IIRC..

      There was a time when no one would've considered Windows to be useful. And who would ever have wanted what Android offers now just 10 years ago?

      I haven't seen FF's phone OS and may never see it. But want better security? Maybe a separate OS "independent of the major companies" is worth someone looking at. Certainly, with the spying and data pinching done by MS and Google, I would welcome anyone who doesn't go down their path.

      1. x 7

        @kiwi

        the problem is that any new phone OS, however clean, is going to get "modified" by the phone manufacturers to provide back doors, thus rendering any security initiative pointless.

        It doesn't matter how good the base software is, the phone companies will compromise it, making it totally pointless

  10. Christian Berger

    Browsers are getting _far_ to complex

    particularly when fixing a known bug takes over 300 days!

    Unfortunately Mozilla works hard on making it even harder to write a browser by supporting all of the bad ideas like HTTP 2 or binary Javascript. If Mozilla wanted to make the web a better place they should remove features, not add new non-orthogonal ones.

    1. petur

      Re: Browsers are getting _far_ to complex

      http://daniel.haxx.se/http2

      I hope it gets you over your misinformation regarding http2

      1. Christian Berger

        Re: Browsers are getting _far_ to complex

        "I hope it gets you over your misinformation regarding http2"

        Actually it just repeats the points that are debunked everywhere else. What you call "misinformation" is actually a reply to the arguments brought forward in articles like this one.

        I mean if I pick a part from that article at near random, "The HTTP 1.1 request sizes have actually gotten so large over time so they sometimes even end up larger than the initial TCP window"

        Yes that's correct, but the problem here is that this is because of abuse. People put more and more junk into those headers because they are trying to implement things like state into a stateless protocol. If you want a session use Websockets instead of cramming huge cookies into your HTTP headers.

        Then there's stuff like Multiplexing connections... which may sound like a good idea until you realize that that means that you somehow have to prioritize the individual requests at the server. Browsers can do that rather well, as they know how to display the contents so they can prefer downloading the pictures you should actually see at the moment. This is _much_ harder on the server side of things.

        And even in the most favourable tests, HTTP2 is just a bit faster, given that it requires lots of code even for the most minimal implementation, it's simply not worth it. And using libraries won't cut it as we have seen with TLS.

    2. Anonymous Coward
      Anonymous Coward

      Re: Browsers are getting _far_ to complex

      Christian is right - nearly a year to fix a security related bug *is* too long. Even if the privileged Bugzilla account had been secure, a bug can be discovered by more than one person.

      If they can't fix it within a sensible timescale they should assume it is being exploited and at least warn the user community. We can argue what sensible is, but it is much less than a year.

    3. Anonymous Coward
      Anonymous Coward

      Re: Browsers are getting _far_ to complex

      particularly when fixing a known bug takes over 300 days!

      Thunderbird has bugs that are many years old.

  11. Ken Hagan Gold badge

    Meh...

    I appreciate that letting someone else find the bugs and then peeking at their results is a slightly simpler way of finding them, or at least the ones that they have found, but since the Firefox source is available to anyone anyway and almost certainly contains many more bugs that haven't made it into the private part of their Bugzilla database yet, this doesn't strike me as a biggie.

    Also, wouldn't it be easier to contribute features to the product and "accidently" leave subtle flaws in. Of course, most wouldn't make it into production and those that did might only remain open for a few months before someone else spots them, but I imagine that a deliberate bug could be made harder to find than a truly accidental one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh...

      I suspect that it is quicker to find the bugs with a fuzzer than by looking through the source, and you don't really need the source code for that. You can spend an hour meticulously going through just one smallish function and the chances are fifty thousand to one that you will find anything exploitable. Easier to set up a farm running fuzzers and then let that do all the work.

  12. Unicornpiss
    Meh

    Still prefer FF

    I still feel a bit safer using FF and like its features better. At least Mozilla came clean with what happened. Just because there aren't glaring headlines about IE, Chrome, Safari, etc. re. the same thing, it's extremely likely that it's just not been discovered yet or has been swept under the rug.

  13. Anonymous Coward
    FAIL

    Hometown - WTF.

    The other day I passed Mozilla HQ on the Muni line and thought, "How cool ..... they're right here". AND YET(!!!) with all of the security tech 'right here', you let your priv accts get pwn'd

    WHAT IS WRONG WITH The Valley and The Bay? It's obvious that fucktard mgmt gets in the way, but Goddamn it. We're the ones that know what is going on. Why aren't the admin accounts under strict control.

    You have enterprise pwd mgmt orgs (that most other orgs have invested) like Cyberark and Thycotic and others, and they sit, sucking up power - DOING NOTHING!!!!!! Like they're Skunkworks or something.

    We have Thycotic (not sure how they get as much play as they do (as compared to Cyberark)), and people act surprised when I mention that we can rotate RADIUS password to comply with our pwd policy - like it is new news. 90% of CISOs, 80% of CIOs and almost 100% of Dirs of Infosec should be FIRED!!!!!

  14. Not That Andrew

    The oldest of those went unpatched for 335 or more days – meaning, Moz developers spent more than 11 months fixing that bug, and hackers had everything they needed to know to exploit it.

    No, it means that Mozilla's programmers spent 333 days ignoring the bug and 2 days patching it

    1. Robert Carnegie Silver badge

      Not all bugs with an indicated security dimension are exploitable - that having been said, you don't work on writing an exploit, you close the hole.

      There's a problem however if by doing so, lots of people's favourite web site doesn't work with your browser. Not because the site uses the hole (you hope) but because the site doesn't work for whatever reason when you change the code to disable (thing) outright.

      So, this can take a long time to resolve.

      I'm writing hypothetically.

  15. Hans 1
    Big Brother

    Hackers or NSA ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like