Compatibility History of add-ons is based on the add-on ID not the add-on in the developer's profile

RESOLVED WORKSFORME

Status

addons.mozilla.org Graveyard
Developer Pages
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: Away for a while, Unassigned)

Tracking

ACR-0.9

Details

(Reporter)

Description

2 years ago
STR:

1. Have user 1 create an extension with id "x@y".
2. Have user 1 submit the extension to AMO, and then remove it from AMO.
3. Have user 2 submit another extension with id "x@y" and submit in to AMO.
4. From the add-on page (example: <https://addons.mozilla.org/en-US/developers/addon/geckoprofiler/edit>) click "Compatibility Reports" (example: <https://addons.mozilla.org/en-US/firefox/compatibility/reporter/jid0-edalmuivkozlouyij0lpdx548bc%40jetpack>)
5. See the full history of the add-on's compatibility including items from what user 1 has done.

This is leaking data from user 1 to user 2 so I'm marking the bug as private.

The problem seems to be that the URL is constructed based on the add-on ID and we don't verify whether the logged in user has the right to see the entries in the table.
Compatibility reports aren't considered private, so anyone can find them if they know the add-on ID. We don't publicize them anywhere (I think).

Not sure if this is a real problem. I'd be more concerned if users were posting private information in those reports, but I haven't seen any instances of this.
(Reporter)

Comment 2

2 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #1)
> Compatibility reports aren't considered private, so anyone can find them if
> they know the add-on ID. We don't publicize them anywhere (I think).

Is that true?  If I open <https://addons.mozilla.org/en-US/firefox/compatibility/reporter/jid0-edalmuivkozlouyij0lpdx548bc%40jetpack> without having logged in, I get an error page.

> Not sure if this is a real problem. I'd be more concerned if users were
> posting private information in those reports, but I haven't seen any
> instances of this.

Yeah, that's fair.  I'm not sure how severe this is in practice.
Anyone have a reason to be opposed to removing the 'Security-Sensitive Client Services Bug' flag?
Group: client-services-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.