Mozilla announced on Friday, September 4, that a hack of their Bugzilla bugtracker enabled unauthorized access to data about unpatched bugs. By using this insider’s knowledge of Firefox’s weaknesses the bad guys were able to exploit at least one bug before it was patched. In other words, bad guys found a way to get in and then found something they could take advantage of.
The good news is that all of the bugs included in the breach have been patched and are available in Firefox 40.0.3 – which was made available on August 27. If you haven’t already done so, GET IT NOW. There is no reason to wait.
That brings us to the first basic security mantra: make sure you keep your software up-to-date: your operating system, your browsers, everything! Make sure you are using the latest & greatest version. It’s worth it for bad guys to hack software that they know is going to get updated, because they know that too many people don’t bother with updates – and those folks are the targets!
If you aren’t using Firefox 40.0.3 (or newer version) after finding out about this exploit at Firefox, then you are playing chicken with professional hackers and the odds are stacked against you.
So, how did the bad guys break in?
There’s every indication that the bad guys got the login for the secure Mozilla site through a hack of another site. In another words, it wasn’t a weak security system at Mozilla that was exploited, it was weak security practice by one of the employees: one of the employees who should have known better used the same password for his/her Mozilla access as well as on another site. The other site was hacked and then the password was used to enter Mozilla. Ouch!
That brings us to the second basic security mantra: make sure you use a unique password for each and every login you have!
If you still thought that reusing a password – regardless of how long and strong it is – on multiple sites was acceptable, then hopefully, this will be enough to show you that it ain’t so! Use a unique password for each login to ensure that a breach at one site doesn’t jeopardize your security and privacy at another site. A password manager like Sticky Password is an effective way to have unique and strong passwords for each of your logins.
As news of the hack at Mozilla was quietly making the rounds in the news this weekend, it occurred to me that in addition to fixing the bugs, Mozilla should have gone public with this differently. Given the popularity that Mozilla enjoys – and the fact that the story is about security bugs that have already been fixed – it would have benefitted more people to announce the story on a business weekday. As it was, Mozilla buried the story by announcing the hack on Friday before the long Labor Day weekend in the US.