Bugzilla Site Vandalized

The bugzilla bug reporting and tracking system on the Mozilla
development site mozdev.org was vandalized yesterday. Mozdev
is a community site for Mozilla developers to create and host
applications and various add-ons to the Mozilla source code.

Mozilla contributor Henrik Gemal reported the activity on his

“A couple of hours ago bugzilla mails started to pour in from
bugzilla.mozdev.org,” Gemal wrote. “They all contained the same comment
and the same action. [email protected] changed status on all open
bugs into Resolved Fixed. All bugs were submitted with the following
comment: these bugs are not from me they where on there when I bought the

By early yesterday afternoon, Gemal updated his blog with a comment
noting that all comments and damage done by the malicious user had been

The apparent root cause of how the attacker was able to
vandalize the system was not immediately known. However, Gemal suspected
that it was part of the system.

“I’m not sure what can be done to prevent this,” he explained. “Anyone
can sign up for a bugzilla account and anyone can change all aspects of
bugs. This is the beauty of bugzilla but also it’s Achilles heel.”

Mozilla developer Gervase Markham disputed Gemal’s assertion that
anyone can sign up for a bugzilla account and anyone can change all
aspects of bugs. In a comment on Gemal’s blog, he wrote that it depends how
you configure your Bugzilla installation.

“The default, and bugzilla.mozilla.org are both not set up this way,”
Markham wrote. “In order to do anything more than add comments and file
bugs, you need editbugs or canconfirm.”

Bugzilla recently released version 2.18, which
boasts more than 1,000 bug fixes and improvements to the open source Bug Tracking
system since its 2.16 release two years ago.

In other Mozilla news, another of its developers has announced he is on Google’s
payroll. Darin Fischer is the second Mozilla developer
this week to join Google’s ranks. Firefox lead engineer Ben Goodger was the first.

“Following on the heals [sic] of Ben’s annoucement [sic] yesterday, I thought I’d
post that I have joined Google as well,” Fischer
wrote in a blog post.
“Like Ben, I will still be very much involved with the Mozilla project and community.”

Fischer, who currently maintains a number of Mozilla networking modules,
including NetLib and NSPR (Netscape Portable Runtime), had previously been
an IBM employee. Before IBM, he was with Netscape/AOL.

News Around the Web