User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Steps to reproduce: 1. As we know that we receive mozilla newsletter on our email address, where there is a link to opt out which is https://sendto.mozilla.org/page/unsubscribe/ 2. when we navigate to this link there is an option enter email id and reason. 3. attacker with malicious intentions can run a bot here with thousands of different users email addresses and unsubscribe them all as there is no validation to check whether request is coming from a legitimate source Actual results: I was able to unsubscribed my all test account with any validation and authorization Expected results: the request should come from a legitimate source to unsubscribe particular email address. It should not be on hit and try basis .
Component: Untriaged → Information Architecture & UX
Product: Firefox → www.mozilla.org
5 years ago
Component: Information Architecture & UX → donate.mozilla.org
Product: www.mozilla.org → Websites
You need to log in before you can comment on or make changes to this bug.