RealTime IT News

Bugzilla Site Vandalized

The bugzilla bug reporting and tracking system on the Mozilla development site mozdev.org was vandalized yesterday. Mozdev is a community site for Mozilla developers to create and host applications and various add-ons to the Mozilla source code.

Mozilla contributor Henrik Gemal reported the activity on his blog.

"A couple of hours ago bugzilla mails started to pour in from bugzilla.mozdev.org," Gemal wrote. "They all contained the same comment and the same action. Sexymeluckyyou73@yahoo.com changed status on all open bugs into Resolved Fixed. All bugs were submitted with the following comment: these bugs are not from me they where on there when I bought the computer."

By early yesterday afternoon, Gemal updated his blog with a comment noting that all comments and damage done by the malicious user had been corrected.

The apparent root cause of how the attacker was able to vandalize the system was not immediately known. However, Gemal suspected that it was part of the system.

"I'm not sure what can be done to prevent this," he explained. "Anyone can sign up for a bugzilla account and anyone can change all aspects of bugs. This is the beauty of bugzilla but also it's Achilles heel."

Mozilla developer Gervase Markham disputed Gemal's assertion that anyone can sign up for a bugzilla account and anyone can change all aspects of bugs. In a comment on Gemal's blog, he wrote that it depends how you configure your Bugzilla installation.

"The default, and bugzilla.mozilla.org are both not set up this way," Markham wrote. "In order to do anything more than add comments and file bugs, you need editbugs or canconfirm."

Bugzilla recently released version 2.18, which boasts more than 1,000 bug fixes and improvements to the open source Bug Tracking system since its 2.16 release two years ago.

In other Mozilla news, another of its developers has announced he is on Google's payroll. Darin Fischer is the second Mozilla developer this week to join Google's ranks. Firefox lead engineer Ben Goodger was the first.

"Following on the heals [sic] of Ben's annoucement [sic] yesterday, I thought I'd post that I have joined Google as well," Fischer wrote in a blog post. "Like Ben, I will still be very much involved with the Mozilla project and community."

Fischer, who currently maintains a number of Mozilla networking modules, including NetLib and NSPR (Netscape Portable Runtime), had previously been an IBM employee. Before IBM, he was with Netscape/AOL.