Open
Bug 1069803
Opened 10 years ago
Updated 10 years ago
Unsubscribe Legitimate User from receiving newletter
Categories
(Websites :: donate.mozilla.org, defect)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: abhishekdashora271, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Steps to reproduce: 1. As we know that we receive mozilla newsletter on our email address, where there is a link to opt out which is https://sendto.mozilla.org/page/unsubscribe/ 2. when we navigate to this link there is an option enter email id and reason. 3. attacker with malicious intentions can run a bot here with thousands of different users email addresses and unsubscribe them all as there is no validation to check whether request is coming from a legitimate source Actual results: I was able to unsubscribed my all test account with any validation and authorization Expected results: the request should come from a legitimate source to unsubscribe particular email address. It should not be on hit and try basis .
Updated•10 years ago
|
Group: core-security
Updated•10 years ago
|
Component: Untriaged → Information Architecture & UX
Product: Firefox → www.mozilla.org
Updated•10 years ago
|
Component: Information Architecture & UX → donate.mozilla.org
Product: www.mozilla.org → Websites
You need to log in
before you can comment on or make changes to this bug.
Description
•