Closed Bug 1061261 Opened 10 years ago Closed 10 years ago

Mozila Account Take Over By Previosly Send Email Confirmation Link

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1061006

People

(Reporter: bhati.infosec, Unassigned)

Details

(Whiteboard: [site:addons.mozilla.org][reporter-external])

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Steps to reproduce:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========


Actual results:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========


Expected results:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:addons.mozilla.org][reporter-external]
bug 1028836 is about currently-active client sessions when there's been a password change. You wouldn't normally expect an email change to force a session logout, and in any case this is about not expiring the change-confirmation token, not the session itself. Bug 1061006 is a more appropriate duplicate (and was, in fact, found researching another bug submitted by this reporter).
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.