Closed
Bug 1169908
Opened 9 years ago
Closed 9 years ago
Hello Conversation links indexed in web pages
Categories
(Hello (Loop) :: Client, defect, P3)
Hello (Loop)
Client
Tracking
(firefox41 fixed)
Tracking | Status | |
---|---|---|
firefox41 | --- | fixed |
People
(Reporter: shahmeerbond, Assigned: standard8)
References
Details
(Keywords: sec-low, wsec-disclosure, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
408 bytes,
patch
|
mikedeboer
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76 Steps to reproduce: This is critical, The conversation links are being indexed in google searches because there is no meta tag or X-robots-tag header enabled Using this dork site:hello.firefox.com You can browser through 100s of conversation links Actual results: It will show you all the conversation links being indexed Expected results: The links should not have been indexed in the google searches
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → standard8
Status: UNCONFIRMED → NEW
Iteration: --- → 41.2 - Jun 8
Points: --- → 1
Component: General → Client
Ever confirmed: true
Priority: -- → P3
Assignee | ||
Comment 1•9 years ago
|
||
Note: I believe the engines are only indexing urls that have already been made public by posting on public sites. Using the site just makes the list more easily accessible. We obviously should tell search engines not to list these, but I'm not convinced this is a security sensitive bug.
Assignee | ||
Comment 2•9 years ago
|
||
Simple addition of robots.txt - same as on Firefox Accounts & Loop server. As we've only got the standalone page hosted, this should be fine.
Attachment #8613431 -
Flags: review?(mdeboer)
Updated•9 years ago
|
Attachment #8613431 -
Flags: review?(mdeboer) → review+
Assignee | ||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/42cd73c073f6
Reporter | ||
Comment 4•9 years ago
|
||
Hey Mark, This is a security sensitive bug here. Anyone has access to the invite links because of this simple misconfiguration
Assignee | ||
Comment 5•9 years ago
|
||
(In reply to Muhammad Shahmeer from comment #4) > Hey Mark, This is a security sensitive bug here. Anyone has access to the > invite links because of this simple misconfiguration Sorry, I disagree. To explain a bit more: anyone has access to those links from the search engine because they've already been published no various web pages, or social media in a public format (e.g. search for just "hello.firefox.com" including the quotes). As a result of the public publishing the search engine has followed the links and collated them. I could also set up my own robot to crawl web pages looking for published ones, and I wouldn't even have to touch hello.firefox.com, and if I did, I could ignore robots.txt. The links themselves are designed to not easily be guessable (https://wiki.mozilla.org/Loop/Architecture/MVP#Token_Length_and_Generation), and search engines aren't going to go and try to guess all the valid urls. Hence, the only thing that no robots.txt means is a slightly easier way for to find already published urls, and some not-so-pretty indexes on search engines for the hello pages.
Comment 6•9 years ago
|
||
The links are indexed probably because they've been shared publicly via social media, like Twitter or other. Our missing robots.txt config file allowed for those links to be followed and indexed. However, there isn't a vulnerability present that allows search bot indexing of arbitrary/ all Hello links. It's just the ones shared by users on the web.
Updated•9 years ago
|
Status: NEW → ASSIGNED
Updated•9 years ago
|
Group: core-security → client-services-security
Keywords: sec-low,
wsec-disclosure
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/42cd73c073f6
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Updated•9 years ago
|
Flags: sec-bounty?
Comment 9•9 years ago
|
||
As a sec-low rated bug, this does not qualify for a bounty.
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: client-services-security → firefox-core-security
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•