I just tried the URL you posted in comment 17 and comment 18, and I got Not Authorized error. This attack only works if you use the state parameter you generated in a client then try to login with this URL on the **same** client. For an account takeover scenario, the below should happen: 1. generate the oauth url which has the attacker's controlled domain in the attacker's client 2. trick the user in clicking the url and logging in with their Firefox account. 3. receive the authtoken generated for the user on the attacker's end. In Hubs case, the second step is not working because the state parameter generated on the attacker's client is not valid on the victim's client, therefore, we are getting the Not Authorized error.
Bug 1826674 Comment 19 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I just tried the URL you posted in comment 17 and comment 18, and I got Not Authorized error. This attack only works if you use the state parameter you generated in a client then try to login with this URL on the **same** client. For an account takeover scenario, the below should happen: 1. generate the oauth url which has the attacker's controlled domain in the attacker's client 2. trick the user into clicking the url and logging in with their Firefox account. 3. receive the authtoken generated for the user on the attacker's end. In Hubs case, the second step is not working because the state parameter generated on the attacker's client is not valid on the victim's client, therefore, we are getting the Not Authorized error.
I just tried the URL you posted in comment 17 and comment 18, and I got Not Authorized error. Logging in with the victim's account only works if you use the state parameter you generated in a client then try to login with this URL on the **same** client. For an account takeover scenario, the below should happen: 1. generate the oauth url which has the attacker's controlled domain in the attacker's client 2. trick the user into clicking the url and logging in with their Firefox account. 3. receive the authtoken generated for the user on the attacker's end. In Hubs case, the second step is not working because the state parameter generated on the attacker's client is not valid on the victim's client, therefore, we are getting the Not Authorized error.