For the second time in three months, the Mozilla Foundation-sponsored marketing site for the popular Firefox browser was hacked by unknown intruders. This time, a notice on the now-down site says that SpreadFirefox.com won't be up and running again until Oct. 15.
In a message to users, the Spread Firefox team said that hackers broke into its servers using a vulnerability in Twiki -- open-source software for creating a structured Wiki -- which was installed, but not in use, on those servers.
The team didn't believe any sensitive data was hijacked, but to be on the safe side, the site has been taken offline, and is being completely rebuilt. The group also recommended that SpreadFirefox.com registered users change their password once the site is back up.
Spread Firefox was last hacked in July; in that instance, the site was also taken offline, although only for approximately three days.
"After Spread Firefox was compromised in July, we instituted procedures to ensure that we apply all security fixes to the software running the site as soon as they become available," said the Spread Firefox team in its message. "Unfortunately, those procedures overlooked the installation of the TWiki software since it is not used by the main Spread Firefox site. When the system is rebuilt, all the software will be audited to ensure that security updates will be applied in a timely manner. We deeply regret this incident and any inconvenience this may have caused you."
The Spread Firefox team also said that the hack didn't affect the primary Mozilla Web site, or any of the Mozilla software. It was, however, yet one more embarrassment to the open-source organization, which has long touted its Firefox browser as a more secure alterative to Microsoft's Internet Explorer.
As in the July incident, a few anti-Microsoft conspiracy enthusiasts quickly blamed Firefox's rival. One poster, identified only as "tfg," wrote on the mozillaZine blog that "I blame the MS employees seeing the 96% domination of IE dropping to FF! You've just got to hope they're using IE and haven't disabled activex controls, vengeance shall be thine!"
But cooler heads responded. A follow-up comment, posted by "Kelson," noted that "Some people don't care who they attack. Some only care how high-profile the target is. I wouldn't be surprised if these people were Firefox users themselves."