From InfoWorld: Mozilla last week said an unknown attacker accessed its Bugzilla bug-and-change tracking database, stole information about 53 critical security vulnerabilities, and used at least one of those flaws to attack Firefox users.
Bugzilla is the open-source tracker that Mozilla's developers -- both paid and volunteer -- use to log issues, whether security related or not; discuss different options before making changes; and pass potential fixes back and forth. Normally, bugs are open to the public, but some, especially ongoing security fixes, are accessible only to privileged account holders.
Entries on critical bugs are blocked to all but privileged accounts long after a fix has been released to ensure that the bulk of Firefox users have installed the patch.
"An attacker was able to break into a privileged user's account and download security-sensitive information about flaws in Firefox and other Mozilla products," Mozilla said Friday in an FAQ about the breach. "Information uncovered in our investigation suggests that the user re¬used their Bugzilla password with another website, and the password was revealed through a data breach at that site."
View: Article @ Source Site
