(In reply to Leon Visscher from comment #18) > I am curious how the severity of this bug (sec-moderate) is established. When I look at the [security severty rating](https://wiki.mozilla.org/Security_Severity_Ratings) Authentication Flaws (which lead to account compromise) is listed under sec-critical. > > I do believe this bug is more severe than is established right now. Exploiting this bug I can for example make an "Official Google Black Friday search extension", and make users log in with their Google accounts. I can intercept the access tokens and gain access to their account. If you could pull this off from the general web, for all users, then this would definitely be sec-critical. In this case you would first have to convince your victims to install your malicious extension. We've generally interpreted that requirement as capping the severity at sec-moderate since it would slow the spread of an attack and would get blackholed once discovered.
Bug 1614919 Comment 20 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Leon Visscher from comment #18) > I am curious how the severity of this bug (sec-moderate) is established. When I look at the [security severty rating](https://wiki.mozilla.org/Security_Severity_Ratings) Authentication Flaws (which lead to account compromise) is listed under sec-critical. > > I do believe this bug is more severe than is established right now. Exploiting this bug I can for example make an "Official Google Black Friday search extension", and make users log in with their Google accounts. I can intercept the access tokens and gain access to their account. If you could pull this off from the general web, for all users, then this would definitely be sec-high. In this case you would first have to convince your victims to install your malicious extension. We've generally interpreted that requirement as capping the severity at sec-moderate since it would slow the spread of an attack and would get blackholed once discovered.