Mozilla bug tracker breached, Firefox zero-day bugs accessible to anyone

Hackers had earlier this month managed to breach the bug database of Mozilla, which allowed the attackers to access 185 non-public bugs for the popular internet browser Firefox, of which 53 were categorized as “severe vulnerabilities”. Visitors of a Russian site have been suspected to be affected by at least one of these.

Well, it looks like Mozilla’s non-public bugs may not be the only ones that are under threat. A security company has found out how to get high-level permissions on Bugzilla, the susceptibility database used by Mozilla as well as a host of private businesses and open-source projects. All kinds of sensitive information are included in this database, which also has information on susceptibilities that organizations have been informed about but not yet fixed. It is likely possible for an attacker to view information from this database on unpatched problems, which could then be put into action against people who use Mozilla products, or any of the other pieces of software that are affected.

The Hack

When an account on Bugzilla is created by an organization employee or contributor, who are likely part of a security team, will be sent a verification email to verify if they actually own the address. However, the bug, discovered by PerimeterX and written up by senior susceptibility researcher Netanel Rubin, let’s anyone create an account appearing as if they are coming from a specific organization, even with them not working for it.

For registering on Bugzilla, an email address of exactly 255 bytes is required, which also includes the domain of the target organization. Bugzilla’s database trims the data down instead of rejecting the large string, in order to make it fit into the appropriate column. The hacker then attaches a domain they own at the end of this.

As a result, the verification email joins Bugzilla with it being sent to an account controlled by the hacker, but being given the access allowed to the target.

Rubin writes “This essentially performs a privilege-escalation attack, allowing us to obtain privileges we otherwise could not,”



Who’s Affected?

“Basically, anyone who uses Bugzilla,” Rubin told WIRED in a phone interview who uses email based permissions is affected. That might include a number of Linux distributions, including Red Hat as well as popular free software projects such as LibreOffice and Apache Project. The Bugzilla website has 136 other projects listed on it, even though that only includes public facing ones. The Bugzilla website reads “There are probably at least 10 times as many private ones.”

Mozilla is also affected, whose large cache of their non-public susceptibilities have already been accessed. This bug was actually tested on Mozilla’s Bugzilla. Further, it could also have an indirect effect onto everyday users. Any susceptibilities that are known by hackers by accessing a company’s Bugzilla system is ready for being used.

Rubin told WIRED that while it is not possible to say if the bug has been actively exploited, it has probably been in existence for around five to seven years.

How Severe Is This?

While the threat is of medium risk, it’s unclear if the bug has been used maliciously in order to gain access to more juicy susceptibilities. The normal consumers need not be immediately worried, as Bugzilla has patched the issue on September 10.

However, this issue needs to be seriously looked into by Bugzilla admins and they need to ensure that the fix is done, if they have not done it already. Some of the most famous software projects use Bugzilla, including the people who take care of the Firefox browser. The another worrying thing is how unimportant susceptibility can be exploited.

“It’s super easy. It’s just one simple request, and that’s it, you’re in,” Rubin continued. A hacker after gaining access could possibly look at information related to any susceptibilities known to the product maintainers, but not yet patched. “The implications of this vulnerability are severe – it could allow an attacker to access undisclosed security vulnerabilities in hundreds of products,” Rubin’s writeup continues.