Bugzilla

(In reply to Leon Visscher from comment #18)
> I am curious how the severity of this bug (sec-moderate) is established. When I look at the [security severty rating](https://wiki.mozilla.org/Security_Severity_Ratings) Authentication Flaws (which lead to account compromise) is listed under sec-critical.
> 
> I do believe this bug is more severe than is established right now. Exploiting this bug I can for example make an "Official Google Black Friday search extension", and make users log in with their Google accounts. I can intercept the access tokens and gain access to their account.

If you could pull this off from the general web, for all users, then this would definitely be sec-critical. In this case you would first have to convince your victims to install your malicious extension. We've generally interpreted that requirement as capping the severity at sec-moderate since it would slow the spread of an attack and would get blackholed once discovered.

(In reply to Leon Visscher from comment #18)
> I am curious how the severity of this bug (sec-moderate) is established. When I look at the [security severty rating](https://wiki.mozilla.org/Security_Severity_Ratings) Authentication Flaws (which lead to account compromise) is listed under sec-critical.
> 
> I do believe this bug is more severe than is established right now. Exploiting this bug I can for example make an "Official Google Black Friday search extension", and make users log in with their Google accounts. I can intercept the access tokens and gain access to their account.

If you could pull this off from the general web, for all users, then this would definitely be sec-high. In this case you would first have to convince your victims to install your malicious extension. We've generally interpreted that requirement as capping the severity at sec-moderate since it would slow the spread of an attack and would get blackholed once discovered.