Unsubscribe Legitimate User from receiving newletter



5 years ago
4 years ago


(Reporter: abhishekdashora271, Unassigned)





5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

Steps to reproduce:

1. As we know that we receive mozilla newsletter on our email address, where there is a link to opt out which is https://sendto.mozilla.org/page/unsubscribe/
2. when we navigate to this link there is an option enter email id and reason.
3. attacker with malicious intentions can run a bot here with thousands of different users email addresses and unsubscribe them all as there is no validation to check whether request is coming from a legitimate source

Actual results:

I was able to unsubscribed my all test account with any validation and authorization 

Expected results:

the request should come from a legitimate source to unsubscribe particular email address. It should not be on hit and try basis .
Group: core-security


5 years ago
Component: Untriaged → Information Architecture & UX
Product: Firefox → www.mozilla.org
Component: Information Architecture & UX → donate.mozilla.org
Product: www.mozilla.org → Websites
You need to log in before you can comment on or make changes to this bug.