Mozila Account Take Over By Previosly Send Email Confirmation Link

RESOLVED DUPLICATE of bug 1061006

Status

addons.mozilla.org Graveyard
Public Pages
RESOLVED DUPLICATE of bug 1061006
3 years ago
2 years ago

People

(Reporter: Narendra Bhati, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:addons.mozilla.org][reporter-external])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Steps to reproduce:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========


Actual results:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========


Expected results:

Mozila Account Take Over By Not Expiring Previously Send Email Confirmation Link

Vulnerable Domain - addons.mozilla.org
================================

POC Video - http://youtu.be/XLM60tTL2gs

Attack Scene
1. User entered an invalid email by mistake like this bhati.hack@gmail.com and confirmation will link send to this address
2. now after 2 minutes user has realised that he entered 
the wrong email so he will change the email to bhati.feedback@gmail.com
3. Now the owner of bhati.hack@gmail.com email account can use that confirmation link for take over victim account and do password reset
=========
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:addons.mozilla.org][reporter-external]
Duplicate of bug: 1028836
bug 1028836 is about currently-active client sessions when there's been a password change. You wouldn't normally expect an email change to force a session logout, and in any case this is about not expiring the change-confirmation token, not the session itself. Bug 1061006 is a more appropriate duplicate (and was, in fact, found researching another bug submitted by this reporter).
Duplicate of bug: 1061006
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.