1169908 - Hello Conversation links indexed in web pages

Status: RESOLVED FIXED

(Hello (Loop) :: Client, defect, P3)

Description

[Muhammad Shahmeer]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76

Steps to reproduce:

This is critical, The conversation links are being indexed in google searches because there is no meta tag or X-robots-tag header enabled

Using this dork site:hello.firefox.com
You can browser through 100s of conversation links 


Actual results:

It will show you all the conversation links being indexed


Expected results:

The links should not have been indexed in the google searches

Comment 1

[Mark Banner (:standard8)]

Note: I believe the engines are only indexing urls that have already been made public by posting on public sites.

Using the site just makes the list more easily accessible. We obviously should tell search engines not to list these, but I'm not convinced this is a security sensitive bug.

Comment 2

[Mark Banner (:standard8)]

Attachment: Add a robots.txt for Loop's standalone UI.

Simple addition of robots.txt - same as on Firefox Accounts & Loop server. As we've only got the standalone page hosted, this should be fine.

Comment 3

[Mark Banner (:standard8)]

https://hg.mozilla.org/integration/fx-team/rev/42cd73c073f6

Comment 4

[Muhammad Shahmeer]

Hey Mark, This is a security sensitive bug here. Anyone has access to the invite links because of this simple misconfiguration

Comment 5

[Mark Banner (:standard8)]

(In reply to Muhammad Shahmeer from comment #4)
> Hey Mark, This is a security sensitive bug here. Anyone has access to the
> invite links because of this simple misconfiguration

Sorry, I disagree. To explain a bit more: anyone has access to those links from the search engine because they've already been published no various web pages, or social media in a public format (e.g. search for just "hello.firefox.com" including the quotes). As a result of the public publishing the search engine has followed the links and collated them.

I could also set up my own robot to crawl web pages looking for published ones, and I wouldn't even have to touch hello.firefox.com, and if I did, I could ignore robots.txt.

The links themselves are designed to not easily be guessable (https://wiki.mozilla.org/Loop/Architecture/MVP#Token_Length_and_Generation), and search engines aren't going to go and try to guess all the valid urls.

Hence, the only thing that no robots.txt means is a slightly easier way for to find already published urls, and some not-so-pretty indexes on search engines for the hello pages.

Comment 6

[Mike de Boer [:mikedeboer]]

The links are indexed probably because they've been shared publicly via social media, like Twitter or other.

Our missing robots.txt config file allowed for those links to be followed and indexed.

However, there isn't a vulnerability present that allows search bot indexing of arbitrary/ all Hello links. It's just the ones shared by users on the web.

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/42cd73c073f6

Comment 8

[Mark Banner (:standard8)]

This has been deployed via bug 1170277.

Comment 9

[Al Billings [:abillings - ex-MoCo]]

As a sec-low rated bug, this does not qualify for a bounty.