Closed
Bug 1061261
Opened 10 years ago
Closed 10 years ago
Mozila Account Take Over By Previosly Send Email Confirmation Link
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1061006
People
(Reporter: bhati.infosec, Unassigned)
Details
(Whiteboard: [site:addons.mozilla.org][reporter-external])
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Steps to reproduce: Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link Vulnerable Domain - addons.mozilla.org ================================ POC Video - http://youtu.be/XLM60tTL2gs Attack Scene 1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address 2. now after 2 minutes user has realised that he entered the wrong email so he will change the email to bhati.feedback@gmail.com 3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset ========= Actual results: Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link Vulnerable Domain - addons.mozilla.org ================================ POC Video - http://youtu.be/XLM60tTL2gs Attack Scene 1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address 2. now after 2 minutes user has realised that he entered the wrong email so he will change the email to bhati.feedback@gmail.com 3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset ========= Expected results: Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link Vulnerable Domain - addons.mozilla.org ================================ POC Video - http://youtu.be/XLM60tTL2gs Attack Scene 1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address 2. now after 2 minutes user has realised that he entered the wrong email so he will change the email to bhati.feedback@gmail.com 3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset =========
Updated•10 years ago
|
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:addons.mozilla.org][reporter-external]
Comment 3•10 years ago
|
||
bug 1028836 is about currently-active client sessions when there's been a password change. You wouldn't normally expect an email change to force a session logout, and in any case this is about not expiring the change-confirmation token, not the session itself. Bug 1061006 is a more appropriate duplicate (and was, in fact, found researching another bug submitted by this reporter).
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•