Open Bug 1069803 Opened 10 years ago Updated 10 years ago

Unsubscribe Legitimate User from receiving newletter

Categories

(Websites :: donate.mozilla.org, defect)

Product:
Websites
Component:
donate.mozilla.org
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: abhishekdashora271, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

Steps to reproduce:

1. As we know that we receive mozilla newsletter on our email address, where there is a link to opt out which is https://sendto.mozilla.org/page/unsubscribe/
2. when we navigate to this link there is an option enter email id and reason.
3. attacker with malicious intentions can run a bot here with thousands of different users email addresses and unsubscribe them all as there is no validation to check whether request is coming from a legitimate source


Actual results:

I was able to unsubscribed my all test account with any validation and authorization 


Expected results:

the request should come from a legitimate source to unsubscribe particular email address. It should not be on hit and try basis .
Group: core-security
Component: Untriaged → Information Architecture & UX
Product: Firefox → www.mozilla.org
Component: Information Architecture & UX → donate.mozilla.org
Product: www.mozilla.org → Websites
You need to log in before you can comment on or make changes to this bug.