Mozilla engineers have revealed that their bug tracking application was compromised, and an unknown attacker had used a privileged account which had access to sensitive information about unpatched Firefox vulnerabilities.
According to the foundation's security disclosure, they confirmed the attacker had access to the bug tracker since September 2014, but they suspect access goes back even further, to September 2013.
Mozilla security experts blame this incident on one of its users that had reused the bug tracker's password on another site, which was later hacked. The company's bug tracker, which is named Bugzilla and is also available as open source, is the instrument which the foundation uses to track problems with its software, may it be Firefox, Thunderbird, Firefox OS, or anything else.
Because bugs reported to the Foundation can be of a high-security risk, some are kept private and only published after they are fixed. According to the company's internal investigation, the user that had his account compromised had access only to critical Firefox bugs, and not those in other products. In the time span the attacker had access to Bugzilla's private section, Mozilla engineers report that they recorded 185 non-public bugs.
Attacker had access to critical Firefox bugs
Out of these 185 bugs, 110 were private because they contained proprietary information, 22 bugs described minor security issues, and 53 were severe vulnerabilities. From the 53 high-security bugs, 43 were already fixed, but not published, when the attacker found out about them, and data from only 10 bugs could have been actively exploited.
From these 10 bugs, 2 were fixed in less than a week, 5 bugs took between 7 and 36 days to address, and the other 3 bugs were fixed in 131, 157, and 335 days respectively. The Mozilla Foundation reports that there were no recorded cases of any of these bugs being used in real-world attacks.
To fix the security problem, Bugzilla admins have forced any user with access to the bug tracker's private section to change their password, they have cut down the number of users with access to this section, and have also limited their access rights, so future breaches would expose smaller amounts of information.
110 Reykjavik, Iceland