Firefox Advocacy Site Hacked
For the second time in three months, a security breach has shut down the marketing Web site used to promote the Firefox browser. Members of the Spread Firefox community have learned that their Spreadfirefox.com site was hit by attackers looking to exploit a bug in the TWiki collaboration software that had been running on the server.
The Mozilla Foundation does not believe that any sensitive information was compromised in the attack, but it is encouraging the approximately 100,000 Spread Firefox members to reset their passwords.
"With these things, it's hard to determine the exact nature of what happened," said Mike Schroepfer, director of engineering with the Foundation's Mozilla subsidiary. "We don't believe that people were successful in getting any of that personal or sensitive information, but we're erring on the side of caution."
Spread Firefox is best known as the organization that raised more than $200,000 to run a two-page Firefox ad in the New York Times last year.
In July 2005, attackers were able to gain access to the Spread Firefox server, apparently for the purpose of sending spam. That attack compromised information such as member e-mail addresses, instant messaging names, street addresses, and birthdays.
After the July attack, the Mozilla Foundation changed procedures to be sure that security fixes were applied to the Spread Firefox server software, but administrators overlooked the TWiki application, which was no longer being used, Schroepfer said. "This one particular piece of software was an oversight and happened to not get updated," he said.
The Mozilla team discovered the current attack over the past weekend, but it appears to have been launched several weeks earlier. "The vulnerability on the TWiki software was announced on the 15th of September," Schroepfer said. "It looked like the first few attempts happened within 12 to 36 hours of those announcements going out."
Administrators will spend the next few weeks rebuilding Spreadfirefox.com, and the site is expected to be back online around October 15, according to the Mozilla Foundation.
Once widely considered a more secure alternative to Microsoft's Internet Explorer browser, Firefox has seen its reputation decline of late. Last month, security vendor Symantec reported that the Firefox browser had more confirmed security vulnerabilities than IE during the first half of 2005.
Firefox countered that it ended up with a larger number of vulnerabilities--25 as opposed to Microsoft's 13--because Microsoft tends to roll a number of bugs into one vulnerability report.