If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Session not invalidated after password reset in addons.mozilla.org

RESOLVED DUPLICATE of bug 1028836

Status

addons.mozilla.org Graveyard
Admin/Editor Tools
RESOLVED DUPLICATE of bug 1028836
3 years ago
2 years ago

People

(Reporter: Mohammed Fayez, Unassigned)

Tracking

unspecified
x86
Windows XP
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:addons.mozilla.org][reporter-external] )

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

Steps to reproduce:

Hi,

After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated .

Logging in with the new password doesn't invalidate the older session either: I could browse your site using two sessions (in two different browsers) which were initiated using two different passwords.

steps:
we have one account "A"
1- login with Google Chrome with account A
2-login with firefox with account A
3-go to Google Chrome with account A
https://addons.mozilla.org/ar/firefox/users/pwreset
4-change password
5-the bug is the account on firefox not logout

to fix it:when account A change password on Google Chrome,Session must invalidated on firefox must logout
**************************************************************
Cache leads to Privacy leaks

1-go to https://bugzilla.mozilla.org
2-Now press logout, and press back button on browser. You will see the session back.This is the information disclosure vulnerability like email of the victim.
I recommend checking for a valid, authenticated session and if there isn't one redirect to the login page.

Regards,
Mohammed fayez



Actual results:

if the attacker know my passsword and hacked my account on addons.mozilla.org 
he will login and take this: Remember me on this device to keep log on
so the victim now reset his password by  https://addons.mozilla.org/ar/firefox/users/pwreset

but there no way the account with the attacker can't log out and this lead to full account take over


Expected results:

this lead to full account take over
Group: core-security → client-services-security
Component: General → Public Pages
Product: Core → addons.mozilla.org
Whiteboard: [reporter-external] DUPEME
Version: Other Branch → unspecified
(Reporter)

Comment 1

3 years ago
Hi,

what you mean with you reply?


Regards
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Duplicate of bug: 1028836
Component: Public Pages → Admin/Editor Tools
Whiteboard: [reporter-external] DUPEME → [site:addons.mozilla.org][reporter-external]
(Reporter)

Comment 3

3 years ago
what about this steps :

Cache leads to Privacy leaks

1-go to https://bugzilla.mozilla.org
2-Now press logout, and press back button on browser. You will see the session back.This is the information disclosure vulnerability like email of the victim.
I recommend checking for a valid, authenticated session and if there isn't one redirect to the login page.

Regards,
Mohammed fayez
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.