Unsubscribe Legitimate User from receiving newletter

UNCONFIRMED
Unassigned

Status

Websites
donate.mozilla.org
UNCONFIRMED
4 years ago
4 years ago

People

(Reporter: Abhishek Dashora, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

Steps to reproduce:

1. As we know that we receive mozilla newsletter on our email address, where there is a link to opt out which is https://sendto.mozilla.org/page/unsubscribe/
2. when we navigate to this link there is an option enter email id and reason.
3. attacker with malicious intentions can run a bot here with thousands of different users email addresses and unsubscribe them all as there is no validation to check whether request is coming from a legitimate source


Actual results:

I was able to unsubscribed my all test account with any validation and authorization 


Expected results:

the request should come from a legitimate source to unsubscribe particular email address. It should not be on hit and try basis .
Group: core-security

Updated

4 years ago
Component: Untriaged → Information Architecture & UX
Product: Firefox → www.mozilla.org

Updated

4 years ago
Component: Information Architecture & UX → donate.mozilla.org
Product: www.mozilla.org → Websites
You need to log in before you can comment on or make changes to this bug.