Bugzilla attack on bugzilla.mozdev.org

A couple of hours ago bugzilla mails started to pour in from bugzilla.mozdev.org. They all contained the same comment and the same action.

sexymeluckyyou73@yahoo.com changed status on all open bugs into Resolved Fixed. All bugs were submitted with the following comment:
these bugs are not from me they where on there when i bought the computer.

This is one of the first larger bugzilla attacks I've seen. I'm not sure what can be done to prevent this. Anyone can sign up for a bugzilla account and anyone can change all aspects of bugs. This is the beauty of bugzilla but also it's Achilles heel.


January 25, 2005 10:39 AM | Posted in Mozilla

Related entries

Ads:

Back Next

10 Comments

Why not to use different permission levels then?

Say, ordinary accounts can only create, add comments, and reopen bugs.

Or am I missing something?

Comment by Alexander K at January 25, 2005 12:03 PM | Permalink

Ouch. What's the recovery contingency plan?

Site icon Comment by Robin at January 25, 2005 12:39 PM | Permalink

I've seen two Bugzilla vandalism links. One says it was mozdev, this one says mozilla? Were both hit or did somebody miscommunicate?

Site icon Comment by Brant Gurganus at January 25, 2005 12:55 PM | Permalink

Why did I get probed on five different ports when I submitted?

Site icon Comment by Brant Gurganus at January 25, 2005 12:58 PM | Permalink

I think you can do no better than built in some spam heuristics for the comments and automatically warn the bugzilla maintainer with a possibility to undo all actions of the possible spammer.

It is however a lame and extremly useless attack which I think is unlikely to happen often.

Comment by Bram at January 25, 2005 01:04 PM | Permalink

It's fixed now! All changes made by sexymeluckyyou73@yahoo.com have be removed

Site icon Comment by Henrik Gemal [TypeKey Profile Page] at January 25, 2005 01:18 PM | Permalink

I don't get it; the Mozilla official Bugzilla system doesn't allow new signups to change status of any bugs. I can still add a comment to a ton of entries and spam people, but I can't change the database there - should the Mozdev one be setup in a similar way?

Site icon Comment by Luke Reeves [TypeKey Profile Page] at January 25, 2005 03:13 PM | Permalink

"Anyone can sign up for a bugzilla account and anyone can change all aspects of bugs."

It depends how you configure your Bugzilla. The default, and bugzilla.mozilla.org are both not set up this way. In order to do anything more than add comments and file bugs, you need editbugs or canconfirm.

Gerv

Site icon Comment by Gerv at January 25, 2005 03:56 PM | Permalink

The bugzilla bug reporting and tracking system on the Mozilla development site mozdev.org was vandalized yesterday. Mozdev is a community site for Mozilla

Site icon TrackBack from Bugzilla Site Vandalized at January 27, 2005 04:36 PM | Permalink

Hi,

I would like to know if we can archive the bugs in bugzilla.
Example for a situation:
we have been using bugzilla since more then a year, i am thinking to archive all the bugs of around 6 months old or so.
If some one has come across such situation pls let me know how i can proced?

Thanks
Sudheer Reddy

Comment by Sudheer Reddy at June 15, 2006 08:34 AM | Permalink

Post a comment




Remember Me?




Please enter the security code you see here

.
You're here: Home - Bugzilla attack on bugzilla.mozdev.org
Get the Mozilla Firefox browser