Closed
Bug 1079364
Opened 10 years ago
Closed 10 years ago
Session not invalidated after password reset in addons.mozilla.org
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1028836
People
(Reporter: mohammed_fayez2011, Unassigned)
Details
(Whiteboard: [site:addons.mozilla.org][reporter-external] )
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Steps to reproduce: Hi, After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated . Logging in with the new password doesn't invalidate the older session either: I could browse your site using two sessions (in two different browsers) which were initiated using two different passwords. steps: we have one account "A" 1- login with Google Chrome with account A 2-login with firefox with account A 3-go to Google Chrome with account A https://addons.mozilla.org/ar/firefox/users/pwreset 4-change password 5-the bug is the account on firefox not logout to fix it:when account A change password on Google Chrome,Session must invalidated on firefox must logout ************************************************************** Cache leads to Privacy leaks 1-go to https://bugzilla.mozilla.org 2-Now press logout, and press back button on browser. You will see the session back.This is the information disclosure vulnerability like email of the victim. I recommend checking for a valid, authenticated session and if there isn't one redirect to the login page. Regards, Mohammed fayez Actual results: if the attacker know my passsword and hacked my account on addons.mozilla.org he will login and take this: Remember me on this device to keep log on so the victim now reset his password by https://addons.mozilla.org/ar/firefox/users/pwreset but there no way the account with the attacker can't log out and this lead to full account take over Expected results: this lead to full account take over
|
||
Updated•10 years ago
|
Group: core-security → client-services-security
Component: General → Public Pages
Product: Core → addons.mozilla.org
Whiteboard: [reporter-external] DUPEME
Version: Other Branch → unspecified
|
Reporter | |
Comment 1•10 years ago
|
||
Hi, what you mean with you reply? Regards
|
||
Updated•10 years ago
|
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
|
|
||
Updated•10 years ago
|
Component: Public Pages → Admin/Editor Tools
Whiteboard: [reporter-external] DUPEME → [site:addons.mozilla.org][reporter-external]
|
|
Reporter | |
Comment 3•10 years ago
|
||
what about this steps : Cache leads to Privacy leaks 1-go to https://bugzilla.mozilla.org 2-Now press logout, and press back button on browser. You will see the session back.This is the information disclosure vulnerability like email of the victim. I recommend checking for a valid, authenticated session and if there isn't one redirect to the login page. Regards, Mohammed fayez
|
Assignee | |
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•