Mozilla improves Security for Bugzilla after security breach

Martin Brinkmann
Sep 4, 2015

Firefox development relies largely on Bugzilla, a bug tracking application that Mozilla developers use to keep track of the development of features and changes in the Firefox web browser.

Most bug listings are accessible by the public, an account is not needed for read access. Only security-sensitive information are not accessible publicly as criminals could use them to create exploits and target Firefox users before patches hit the browser.

Security-sensitive information are only accessible by privileged users and while that keeps unauthorized users at bay, it is not a 100% protection against unauthorized access.

Mozilla revealed today that an attacker managed to steal security-sensitive information from Bugzilla and used the information to attack users of the Firefox browser in the process.

The attacker managed to take over a privileged account to gain access to security-sensitive information on Bugzilla. Mozilla believes that the attacker used the information to exploit a vulnerability in Firefox (which was patched by Mozilla in the meantime).

The attacker managed to access 186 non-public bugs on Bugzilla of which 53 were listing sever vulnerabilities and 22 minor security issues. Of those 53 severe ones, 43 had already been patched by Mozilla which left 10 security related bugs with a window of time to target Firefox users.

All vulnerabilities have been patched on August 27  in release versions of Firefox with the release of Firefox 40.0.3.

Mozilla improved security for Bugzilla as a response to the attack which protect privileged accounts and the information these accounts have access to.

Here is what Mozilla did in detail

Make all users with privileged access change their passwords.

Enforce 2-factor authentication for all privileged accounts.

Reduce the number of privileged users.

Limit what privileged users can do.

In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.

The linked FAQ reveals additional details about the attack. The attacker gained access to Bugzilla as early as September 2013. Information gathered by Mozilla suggest that access to the password was gained on another site the same password was used on.

Mozilla improves Security for Bugzilla after security breach
Article Name
Mozilla improves Security for Bugzilla after security breach
Mozilla announced today that it has improved security on Bugzilla as a response to a security breach.

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Ken Saunders said on September 7, 2015 at 8:28 am

    Geez, no matter what the circumstances are, Mozilla is sh** to some people.
    They’re all self-involved, incompetent, corporate morons paid to f-up people’s lives.

    An a-hole is at fault here, not Mozilla. U.S. military social media accounts have been hacked, government sites get hacked, Sony was hacked, Google services have been, Apple too.

    As far as private bugs, there’s nothing nefarious about an open source organization having/using them especially when they’re trying to protect people. Want to know why a particular bug is private? Ask a Mozillian. They’ll tell you.

    I’ve been included in private bugs and one was for something as simple as making sure that my home mailing address remained private when those horrible f-ups at Mozilla were sending me a new desktop monitor because I couldn’t afford a new one at the time.
    I only wanted one equal to the one that I had that died (a 13″ CRT). They sent me a 24″ flat screen. I’m Legally Blind, they figured that it would be better.

    As a Mozilla product user since the 1.0 releases, an add-on developer hobbyist, and as a long time contributor, I share a lot of the same frustrations and concerns as others. Sometimes I even get pissed off and other times I’m baffled by certain choices and decisions, and currently, I’m unsure about the future of things even for myself with things like add-ons since mine and the Access Firefox Project ones are mostly XUL based,, but I’m just so tired of the Mozilla bashing just for the hell of it.

    Mozilla does a wicked lot of good in this World and people who don’t even use their products benefit from it. And the people within Mozilla are far more accessible and cooler than what most people think.
    I’m just some smelly old dude living in a small town and I’ve had live and email conversations with some of the founders of Mozilla itself, the creators of Firefox, and leaders in different areas of the project.
    The Internet would be a much darker, closed off and f-ed up place without Mozilla like it once was before they existed.

    The next time that you get the urge to piss away your life bitchin’ about Mozilla, try getting involved with them instead and change things, or go watch some porn, or a play a game.
    Those things would be a far better use of your time.

  2. FunnyScript said on September 6, 2015 at 3:00 pm

    Oh, I hope that the new “terrific” feauter of Kasersky to inject on every page their script will be include as bug….

  3. Guest said on September 5, 2015 at 10:39 pm

    Mozilla’s bugzilla is one of the most horrifically insecure websites in existence. It displays everyone’s email addresses in plain text for the entire world to see. Oh and you have to post using your email address as your username, meaning that if you post, your email is instantly visible to the entire world. This has been reported ages ago, but like usual, Mozilla keeps the “important” bug reports open for years at a time and never fixes them. It’s like they just don’t care about user bug reports, they just do their own thing and only patch something someone reports if it suits them at the time.

    It’s just a joke, pathetic.

  4. Pants said on September 5, 2015 at 6:01 am

    If only they “attacked” other issues with such fervor instead of p*ssing around with unwanted features, tracking, advertsing, tiles, social bullcr*p, and interface changes – how about some focus here Mozilla

  5. EuroScept1C said on September 5, 2015 at 2:33 am

    On the bright side… 40+ security fixes have been fixed extremely fast… Who knows when Mozilla would have dealt with all of these vulnerabilities otherwise.

    1. ams said on September 5, 2015 at 5:08 am

      It didn’t transpire like you’re inferring. 43 of a total 53 severe, non-public, bugs had already been patched, as of the time of the breach.

  6. Marti said on September 4, 2015 at 9:02 pm

    > The attacker managed to access 186 non-public bugs on Bugzilla of which 53 were listing sever vulnerabilities and 22 minor security issues.

    To quote a proverb “One man’s trash is another man’s treasure”.

    **Transparency** should always be a goal for any FOSS project including Mozilla. This doesn’t mean that it can’t be done skillfully and discretely though. When I discovered back in the day that certain patches and communications were being hidden from this free and open-source software project it raised a serious red flag as this hurts the community more and degrades Mozillas reputation… but what else is new.

    It will be interesting to have that data analyzed and see just what the Mozilla Empire is so afraid of. Perhaps the Rebels have scored a victory.

  7. Pd said on September 4, 2015 at 8:29 pm

    Things were heading south beforehand but since the crucifixion of Brendan Eich Mozilla seriously can’t seem to get anything right.

    Just when I felt that identities idea seemed like the first useful feature Mozilla had come up with in Firefox for years, they go and screw up like this.

    Clearly the lights are on but nobody is home. They’re all asleep at the wheel, etc.

    Talk about losing any credibility they ever had towards encouraging developers to write secure Web applications.

    Meanwhile how’s the irrelevant Firefox OS going?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.