Closed Bug 1271744 Opened 8 years ago Closed 8 years ago

Delete email without confirming by password

Categories

(addons.mozilla.org :: Security, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: c4u53.secure, Unassigned)

Details

When deleting the account by this link
https://addons.mozilla.org/en-US/firefox/users/delete

The application didn't ask for password but asks for email which is in placeholder attribute so if the user left his account someone could delete his account easily.

Solution: add confirming with password.

Best,
Muhammad Nasef (C4U53)
As we recently migrated to Firefox Accounts, addons.mozilla.org does not store passwords any longer. We cannot ask for confirmation using your password because we don't have it anymore.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Group: client-services-security
But this will cause the same problem in Firefox Accounts !
Because If the account was deleted from the addons then It'll be deleted from Firefox Accounts.
So can't you use sort of verification which redirect user o firefox accounts which confirm deleting by password ?
If Firefox Accounts ask for password in deleting account but addons doesn't then there is need for this in firefox accounts because the attacker could use addons to delete Firefox accounts.
Deleting your account on addons.mozilla.org does not delete it from Firefox Accounts.
(In reply to Mark Striemer [:mstriemer] from comment #4)
> Deleting your account on addons.mozilla.org does not delete it from Firefox
> Accounts.

Excuse me but at the end the attacker could delete the addons account of the victim so there is a lot of solutions you could implement in this case.
You need to log in before you can comment on or make changes to this bug.