Hacker Target Firefox Users By Stealing Sensitive Security Data From Mozilla

It is guessed that the hackers may have known about the unpatched zero-day bugs in the Firefox web browser for a year or more. According to Mozilla, the attacker was able to breach a user’s account that had privileged access to Bugzilla, including the non-public zero-day flaw information. By the time, the hacker broke in, 43 of the severe flaws had already been patched in the Firefox browser claims Mozilla. However, the risk to Firefox lies in the remaining 10 bugs that the hacker had access to before they were fixed. The one bug that the hacker made full use of and benefited from it was to collect private data from a Russian news site visited by Firefox users. However, the interesting part of the Mozilla Bugzilla breach was that it did not require the hacker to know about any zero day flaw to compromise Bugzilla and still the hacker was able to learn about new Firefox zero-day flaws. That means that looks like someone had a password that then should not have access to or maybe a weak one, or possibly reused on another compromised website. Overall, password reuse is a huge problem, which is why both Google and Facebook in an effort to protect their users from breaches regularly look at password dumps. Firefox’s Security Lead Richard Barnes wrote in detail as to what Mozilla is doing to improve Bugzilla’s security in a blog post on Friday. “We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication.” Adding further, Barnes said that there also new limits being placed on what each level of privileged user can access, so that if an account is compromised in future, the hacker would not be able to access as much data. “We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations,” Barnes said. It comes as a surprise as to why previously Mozilla did not comply with the two-factor authentication for its sensitive information as without it, all the hacker needed to gain access was one set of credentials. The latest version of Firefox released last week has fixed any problems that might have been accessed by the hacker in the past. This comes as a good news to Firefox users and one hopes that Mozilla will now be more serious about their own security than ever before.