Closed
Bug 1271744
Opened 8 years ago
Closed 8 years ago
Delete email without confirming by password
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: c4u53.secure, Unassigned)
Details
When deleting the account by this link https://addons.mozilla.org/en-US/firefox/users/delete The application didn't ask for password but asks for email which is in placeholder attribute so if the user left his account someone could delete his account easily. Solution: add confirming with password. Best, Muhammad Nasef (C4U53)
Comment 1•8 years ago
|
||
As we recently migrated to Firefox Accounts, addons.mozilla.org does not store passwords any longer. We cannot ask for confirmation using your password because we don't have it anymore.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Updated•8 years ago
|
Group: client-services-security
Reporter | ||
Comment 2•8 years ago
|
||
But this will cause the same problem in Firefox Accounts ! Because If the account was deleted from the addons then It'll be deleted from Firefox Accounts. So can't you use sort of verification which redirect user o firefox accounts which confirm deleting by password ?
Reporter | ||
Comment 3•8 years ago
|
||
If Firefox Accounts ask for password in deleting account but addons doesn't then there is need for this in firefox accounts because the attacker could use addons to delete Firefox accounts.
Comment 4•8 years ago
|
||
Deleting your account on addons.mozilla.org does not delete it from Firefox Accounts.
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to Mark Striemer [:mstriemer] from comment #4) > Deleting your account on addons.mozilla.org does not delete it from Firefox > Accounts. Excuse me but at the end the attacker could delete the addons account of the victim so there is a lot of solutions you could implement in this case.
You need to log in
before you can comment on or make changes to this bug.
Description
•