Bugzilla- Account Take Over Bug

RESOLVED INVALID

Status

()

RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: narendra.infosec, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36

Steps to reproduce:

Hello Mozilla Team In Bugzilla

Got an account take over bug , Kindly take a look at that

Issue

When user changes his email address , to any new one , then his old email password change link is not getting expired which leads to account take over of user

Reproductions Step

1.Create an account in Bugzilla with email like "real@gmail.com" or you can use an existed account

2.Now logged out and request for password reset

3.Now logged in again and change your email to "newreal@gmail.com"

4.Now you can go to you "real@gmail.com" inbox and click on the reset password link which you have

5.requested recently, after changing the password you will get complete access.


The impact of this vulnerability is

Suppose victim has request a password reset link which he has never user on "real@gmail.com"
Now after some day he has change his email to "newreal@gmail.com"

Now if an attacker got access to his old email "real@gmail.com", then he can look for the password change link and can used that to reset victim password.
Ping me if you need more info !
Looking forward to you !



Expected results:

Note - if the user changed his email to new one , then all old unused password reset link should be expire on server side!
Which exact version of Bugzilla are you testing with?

Gerv

Comment 2

4 years ago
(In reply to Narendra Bhati from comment #0)
> Now if an attacker got access to his old email "real@gmail.com", then he can
> look for the password change link and can used that to reset victim password.

This scenario is irrelevant. If the attacker has access to the old victim account within 3 days after the email address change request, he can already cancel this change thanks to the token being given in the "change email address" email.

Moreover, all password change requests are automatically canceled once the user logs in (your step 3):

    # The user's credentials are okay, so delete any outstanding
    # password tokens or login failures they may have generated.
    Bugzilla::Token::DeletePasswordTokens($user->id, "user_logged_in");
Assignee: general → user-accounts
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Component: Bugzilla-General → User Accounts
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.