SpreadFirefox.com - whoops!

goldfish · Jul 19, 2005

Got this email the other day:

On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software.

We don't have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

As a Spread Firefox user, you have provided us with a username and password. You may also have provided us with other information, including a real name, a URL, an email address, IM names, a street address, a birthday, and private messages to other users.

We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. To change your Spread Firefox password, go to SpreadFirefox.com, log in with your current password, select "My Account" from the sidebar, select "Edit Account" from the sidebar, then enter your new password into the Password fields and press the "Save user information" button at the bottom of the page.

The Mozilla Foundation deeply regrets this incident and is taking steps to prevent it from happening again. We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future.

Sincerely,
The Mozilla Foundation
Click to expand...

OOOPS. Good thing I have a different password for all my accounts eh?

Tonglebeak · Jul 19, 2005

Drupal packaged the xml-rpc lib in their software (and sfx uses Drupal). It's not sfx's fault, but xml-rpc's.

I know you weren't blaming anyone, but I just had to make that clear before someone comes in and says "omg sfx sux they got haxed LOL"

goldfish · Jul 19, 2005

Well, it depends whether xml-rpc had a patch out a reasonable ammount of time before the attack took place. If it was out days or even weeks before, why wasn't it applied?

But either way, oops.

Ira_Gaines · Jul 19, 2005

I read that on slashdot, apparently they had a few days(a week or 11 days maybe?) to patch it after the problem was announced, before it got hacked. It isn't Mozilla's fault, someone else runs the site.

BoredOutOfMyMind · Jul 19, 2005

Ira_Gaines said:

I read that on slashdot, apparently they had a few days(a week or 11 days maybe?) to patch it after the problem was announced, before it got hacked. It isn't Mozilla's fault, someone else runs the site.
Click to expand...

Something else to blame on Saddam Hussein and company??????

goldfish · Jul 20, 2005

BTW thanks Kodo for fixing my quote tags It was late an I didn't see till it was too late!

Log in or Sign up

SpreadFirefox.com - whoops!

goldfish Lt. Sushi.DC

Tonglebeak Specialist

goldfish Lt. Sushi.DC

Ira_Gaines Private E-2

BoredOutOfMyMind Picabo, ICU

goldfish Lt. Sushi.DC