If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Poodle attack in mail.mozilla.org



3 years ago
3 years ago


(Reporter: Muhammad Shahmeer, Unassigned)


Bug Flags:
sec-bounty -




3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

Hey there
I found the existance of poodle attack in mail.mozilla.org
I tested the domain using poodlescan.com and found it to be vulnerable

Actual results:

The SSL v3 is allowed on the domain making it vulnerable

Expected results:

The domain should not have been vulnerable


3 years ago
Group: core-security → websites-security
Component: Untriaged → Other
OS: Windows 8.1 → All
Product: Firefox → Websites
Hardware: x86_64 → All
Version: Firefox 38 → unspecified

Comment 1

3 years ago
Awaiting your reply on this
Please use the list of available sites for the bounty program at https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs .

This site is not on the list and, in fact, we have transitioned away from it for Mozilla email.

Comment 3

3 years ago
So this counts as a hostile sub domain. Don't you think that. Because one way or another it proves a vulnerability
It isn't on the list so it would have to be an extremely bad vulnerability in order to be worth a bounty. This is a subdomain scheduled to be decommissioned.

I suggest actually using the list of eligible domains in the FAQ when looking for bounties.

Comment 5

3 years ago
I will, Thanks for the suggestion. 
And sorry for the stupid questions
Flags: sec-bounty?
The use of SSLv3 on this domain is voluntary. We're aware of the risks, and have accepted them. Thanks for reporting it, but this is not a vulnerability.
Last Resolved: 3 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.