For the second time in three months, a security breach has shut down the marketing Web site used to promote the Firefox browser. Late Monday, members of the Spread Firefox community were notified that their Spreadfirefox.com site had been hit by attackers looking to exploit a bug in the TWiki collaboration software, which had been running on the server.
The Mozilla Foundation does not believe that any sensitive information was compromised in the attack, but it is encouraging the approximately 100,000 Spread Firefox members to reset their passwords. “With these things it’s hard to determine the exact nature of what happened,” said Mike Schroepfer, director of engineering with the Foundation’s Mozilla Corp. subsidiary. “We don’t believe that people were successful in getting any of that personal or sensitive information, but we’re erring on the side of caution.”
Spread Firefox is best known as the organization that raised more than US$200,000 to run a two-page Firefox ad in The New York Times last year.
In July of 2005, attackers were able to gain access to the Spread Firefox server, apparently for the purpose of sending spam. That attack compromised information such as member e-mail addresses, instant messaging names, street addresses and birthdays.
After the July attack, the Mozilla Foundation changed procedures to be sure that security fixes were applied to the Spread Firefox server software, but administrators overlooked the TWiki application, which was no longer being used, Schroepfer said. “This one particular piece of software was an oversight and happened to not get updated,” he said.
The Mozilla team discovered the attack over the past weekend, but it appears to have been launched several weeks earlier. “The vulnerability on the TWiki software was announced on the 15th of September,” Schroepfer said. “It looked like the first few attempts happened within 12 to 36 hours of those announcements going out.”
Administrators will spend the next few weeks rebuilding Spreadfirefox.com, and the site is expected to be back online around Oct. 15, according to the Mozilla Foundation.
Once widely considered a more secure alternative to Microsoft’s Internet Explorer (IE) browser, Firefox has seen its reputation decline of late. Last month, security vendor Symantec Corp. reported that the Firefox browser had more confirmed security vulnerabilities than IE during the first half of 2005.
Firefox countered that it ended up with a larger number of vulnerabilities — 25 as opposed to Microsoft’s 13 — because Microsoft tends to roll a number of bugs into one vulnerability report.