Firefox marketing site hacked

SpreadFirefox.com, the community marketing Web site for the open-source Firefox Web browser, was hacked earlier this week, potentially exposing user data.

Attackers broke into the Web site by exploiting an unpatched security vulnerability in the software that runs SpreadFirefox.com, the Mozilla Foundation said in an e-mail alert to registered users of the site late Thursday. Mozilla coordinates Firefox development and marketing. The authenticity of the e-mail was confirmed Friday by a Mozilla representative.

The attack actually occurred on Sunday but was not discovered until Tuesday, according to the e-mail alert. The SpreadFirefox.com was subsequently taken down for a few days to investigate the attack, according to a notice posted on the site.

The necessary patches have now been applied to the software that runs SpreadFirefox.com, Mozilla said. According to its e-mail, the group has also "reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future." The exploited flaw was a vulnerability in PHP, the language in which Drupal, the content management system that Spread Firefox uses, is written.

Mozilla believes the machine was hacked to use it to send spam, according to the e-mail. However, it is possible that attackers obtained usernames and passwords and any other information people may have provided to the site, such as e-mail and home addresses, birth dates and instant-messaging names, Mozilla said.

The hack is an embarrassment to Mozilla, which uses security as the main selling point for the Firefox Web browser.

SpreadFirefox is the online Firefox marketing hub. Mozilla has successfully used the site to mobilize volunteers to popularize the browser through free marketing techniques such as Web site buttons and by collecting money for an ad in The New York Times.

As a result of the attack, Mozilla is urging the estimated 100,000 SpreadFirefox users to change their passwords. If those people use the same passwords for other Web sites, they should be changed there too, Mozilla advises.

[tsm26]

Just have to say

This week with the vulnerabilities on Kerberos and other open source projects is a validation of comments I have made about security and the continuous lauding of open source projects being the most secure. Everything is vulnerable with usually minimal effort. Going purely open source isn't going to protect you any more than another approach will without proper practices. You need to be current with patches, have good passwords, and monitor your system constantly. That being said, I use open source for everything I do because I like the flexibility and the ability to customize. I just don't have fantasies about their security.

[Chrono13]

Very well stated, however...

I agree. Though regarding "constantly" monitoring a system... if it is properly maintained, it should not have to be a chore, or a hassle. I just think you used the wrong word there. Maybe "regularly" or "often"? Many modern programs automate most security related tasks (Router/hardware firewall NAT, auto-updating anti-virus and scheduled scans, and a default ?block until approved? software firewall, and if you prefer ? automatic updates for most programs and even operating systems, etc).

As for Open Source Software, I use OSS for many reasons. The biggest reason is that the settings, install, and general program operation has ME in mind rather than a company or individual. You don't see many OSS (other than a virus of course) re-installing itself during an uninstal, spidering itself deep into your system (Real Player), not uninstalling at ALL while saying it did (Trillain) and otherwise inflicting Digital Rights Restrictions (or Management if you prefer) and other such nasty things upon the end user.

-C

[unknown unknown]

If this doesn't demonstrate....

why appling patches to software, whether closed or open source, is vital then I don't know what will. No reasonable person with even a basic understanding would say that any software is completely secure. To say so is to demostrate ones ignorance.

[Scott W]

so true

flaws in OSS are almost always fixed before they are exploited. if they had patched up they would have been safe. if they had been on IIS then their server would have been hacked long before now. and they probably wouldn't have a patch available until a number of people exploit the security hole.

[Mendz]

I'd say...

It doesn't matter which brand, company or organization now. What obviously matters is the possible greatness in numbers. MS IE is popular so it gets attacked. Firefox is popular so it gets attacked. Proprietary or open-source, they should both be vigilant in making sure their products are secured.

Cracked, not hacked

http://www.catb.org/~esr/faqs/hacker-howto.html