Bugzilla. Just the name of it sounds pretty scary, right? But Bugzilla is actually a tool the good guys use to help protect us against computer bugs. But now something has happened that could turn Bugzilla from a tool for good to a weapon for evil.
Like so many evil plots in science fiction, this one has the potential for doing a lot of damage - but in this case, it is real life, not science fiction!
But before I tell you what happened to help take Bugzilla to the dark side and how you can stay safe, first let me explain the concept of open source software. That will help you better understand exactly what's going on.
Open source software, or code, is free for the taking. No one owns it and lots of people constantly add improvements to make it better. The idea is that by making code freely available to anyone, then more people work to make it more secure than any one professional team could ever make it.
But this time, it seems that intention got turned upside down.
Mozilla is one of the world's biggest proponents of open source software. Mozilla's Firefox browser is on nearly 1 out of every 5 computers in the world and is one of the most popular ways people surf websites. The organization also builds a wide variety of other open source programs including the Thunderbird email program. Now, all of these programs have known bugs. Depending on how threatening or easy-to-find these bugs are, they might take more or less time to get fixed.
To keep track of these known bugs and security flaws, Mozilla built "Bugzilla," a website that, ideally, could house all of these known exploits securely and away from hackers' eyes until they could be addressed.
Well, it turns out that a big flaw in Bugzilla's security could've given hackers access to almost any security flaw they could ask for.
Oh, and the bug has been around for ten years.
So gathered up all in one place is a detailed list of every known bug and security flaw in software that powers the Internet and email of tens of millions of users. It's literally like Christmas morning for hackers with security holes and opportunities ripe for the taking!
One researcher discovered that all of Bugzilla's complicated security designed to protect the list of bugs could be broken just by using an email address that looks like it belongs to someone important. Well known security expert Brian Krebs even managed to break in with the obviously simple, email@example.com.
Once past Bugzilla's security he was allowed to view every single documented bug on the Firefox browser and almost any other issue imaginable. How on earth could something like this exist?
Well, Bugzilla is built entirely on the assumptions that open source code is more secure. It makes sense on the surface. The more people you have to look at your code, the more secure it could be.
Shahar Tal, another security expert, disagreed:
The perception that many eyes have looked at open source code and it’s secure because so many people have looked at it, I think this is false. Because no one really audits code unless they’re committed to it or they’re paid to do it. This is why we can see such foolish bugs in very popular code.
While Yahoo Games's vulnerability to the easy-to-fix Shellshock bug says otherwise, Bugzilla's ten-year vulnerability makes no arguments in favor of trusting everyone to pitch in toward making the internet a safer place.
What's the take-home? Well, it's not about the threat and more about Mozilla's failure to notice the threat for ten years. When it comes to sending your personal information through browsers like Firefox, you might want to think twice and trust the experts behind a browser like Google Chrome.
We have no idea how many vulnerabilities are quietly being exploited by hackers to profit off of stealing your personal information. Google, on the other hand, offers big-money bounties to any hacker who spots a vulnerability in their system.