People who get mail from Bugzilla may have noticed some unusual activity at around midnight UTC today. Someone created an account with email address "tim.starling@rocketmail.com", using my name, and proceeded to vandalise 88 bugs in 4 minutes. The vandalism consisted of changes to random fields, such as status, component, CC, keywords, dependencies, etc.
The scale of the problem was not immediately apparent since outgoing email (and hence wikibugs IRC) was backlogged for about half an hour.
The vandalism has now been reverted. Some statuses and resolutions were reverted by direct SQL queries. These reversions did not result in a log entry or email.
The user's IP address was a Tor exit node. I blocked the IP address in iptables, but when I found out it was an exit node, I also disabled account creation entirely, so that we could stop the vandalism by user account locks. It remains disabled for now.
About an hour before this incident, a user from a different Tor exit node (jacob-craddy@mail.com) filed 21 new bugs in 40 seconds. All were closed as "invalid".
Reverting hundreds of bug property changes was labour intensive. It points to the need for better tools to deal with malicious behaviour in Bugzilla. I looked into the possibility of writing an automated revert tool as a command-line perl script integrated with Bugzilla, but it looked like it would be fairly complicated:
* The bug history log has an irregular free form text format which is not designed for automated reversions.
* The update interface (Bugzilla::Bug->set_*()) is not ideal for this application, it mixes backend access methods such as database field name maps with business logic such as agreement between product and component.
-- Tim Starling