Closed Bug 1096521 Opened 11 years ago Closed 10 years ago

broken authentication, Improper session management and weak encoding

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: shaheemirza, Unassigned)

References

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 Steps to reproduce: A Long story: I have two gmail account, 1: shaheemirza@gmail.com 2: testnowforme@gmail.com I was created a account at addons.mozilla.org by testnowforme@gmail.com. [A part] Now, 1: at https://addons.mozilla.org/en-US/firefox/users/edit I set my email testnowforme@gmail.com to shaheemirza@gmail.com. 2: Clicked Update Account. 3: system sent me a confirmation email with an URL. Now, I have logged in at my shaheemirza@gmail.com. 1: click on the confirmation URL. 2: my addons.mozilla.org's account email is now shaheemirza@gmail.com Look, I was in same browser and it does not logged out from my addons.mozilla.org's account but changed my email address. it said, [Your email address was changed successfully From now on, please use shaheemirza@gmail.com to log in.] And as I have clicked that confirmation URL at shaheemirza@gmail.com, it must be expired, so, I can use that link/url only once, never again. [B part] Now again, 1: at https://addons.mozilla.org/en-US/firefox/users/edit I set my email shaheemirza@gmail.com to testnowforme@gmail.com. 2: Clicked Update Account. 3: system sent me a confirmation email with an URL. Now, I have logged in at my testnowforme@gmail.com. 1: click on the confirmation URL. 2: my addons.mozilla.org's account email is now testnowforme@gmail.com Look, I was in same browser and does not loged out from my addons.mozilla.org's account but changed my email address. it said, [Your email address was changed successfully From now on, please use testnowforme@gmail.com to log in.] And as I have clicked that confirmation URL at testnowforme@gmail.com, it must be expired, so, I can use that link/url only once. [C] Now the original part, Look, my both inbox has a mail with email change confirmation URL and both have already been used. Look, now my addons.mozilla.org's account login email is testnowforme@gmail.com, because of i have done part [B]. But, Again, I have logged in at my shaheemirza@gmail.com. 1: click on the confirmation URL again. 2: my addons.mozilla.org's account email is now shaheemirza@gmail.com again So, confirmation URL does not expire once it has been used !! ** confirmation url must expire when it has been used and every-time user must auto loged out [cut the session] when email has been changed. A real world senario: 1: if I have mistakenly set my addons.mozilla.org's accounts email address testnowforme@gmail.com to shaheemir@gmail.com instead of shaheemirza@gmail.com. 2: and then i instently fix my fault by sending another email change URL to shaheemirza@gmail.com and set my address as shaheemirza@gmail.com 3: it will not save my account, cause, the owner of shaheemir@gmail.com will able reset my addons.mozilla.org's account email to his shaheemir@gmail.com. 4: By using "forgot my pass" he will obtain my account then he is able to "Delete account" Result: Full Account Takeover and Loss of account. For a PoC: this link will set shaheemirza@gmail.com. https://addons.mozilla.org/en-US/firefox/user/11245140/emailchange/MTEyNDUxNDAsc2hhaGVlbWlyemFAZ21haWwuY29tLDE0MTU2MTM4NzI%3D/114c735ef895b379737aa57869a91d1587bcc02ccdf57084c60e9232daab87b4 this link will set testnowforme@gmail.com from shaheemirza@gmail.com. https://addons.mozilla.org/en-US/firefox/user/11245140/emailchange/MTEyNDUxNDAsdGVzdG5vd2Zvcm1lQGdtYWlsLmNvbSwxNDE1NjE0NDk1/1af6f17a934a8c70a83f10439c4a59f7e574b31b38c3697051f4319a90f9f177 --------------------------------------- You are using very weak encoding(base64) algorithm instead of strong encryption: Now, take a confirmation url from above one, https://addons.mozilla.org/en-US/firefox/user/11245140/emailchange/MTEyNDUxNDAsdGVzdG5vd2Zvcm1lQGdtYWlsLmNvbSwxNDE1NjE0NDk1/1af6f17a934a8c70a83f10439c4a59f7e574b31b38c3697051f4319a90f9f177 then take "MTEyNDUxNDAsdGVzdG5vd2Zvcm1lQGdtYWlsLmNvbSwxNDE1NjE0NDk1". then goto https://www.base64decode.org/ then decode it, result will "11245140,testnowforme@gmail.com,1415614495" where, 11245140= userid number testnowforme@gmail.com= user email 1415614495= timestamp 1415614495 Is equivalent to: 11/10/2014 @ 10:14am (UTC) is exposing server timestamp is safe? base64 is safe? Actual results: N/A Expected results: N/A
Thank you for the report. In the future, you should open separate bugs for separate issues. The issue with the confirmation links not expiring is known and we have decided previously to not address that issue. The possibility of account compromise from links that a user must generate for themselves is considered low. As to the other issue, I'll allow others to give their views.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.