Web Server flood attack and email Flood attack is possible.

REOPENED
Unassigned

Status

www.mozilla.org
Newsletters
REOPENED
2 years ago
2 years ago

People

(Reporter: Suman, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8750450 [details]
https://www.mozilla.org/en-US/foundation/licensing/website-content/

Web Server flood attack and email Flood attack is possible.  See attachment
Flags: sec-bounty?
Thanks for the report Suman

There was already an open bug to work on this, #1262893
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Duplicate of bug: 1262893
This probably IS a duplicate report -- the newsletter people don't seem to care about us being used for spam -- but it's not of bug 1262893. That bug is for adding a button for the _user_, after they have already gotten the initial sign-up email. That's to prevent people getting automatically added to the mailing list if they accidentally clicked the link in the mail or if some mail security scanning software opened the link to check it out before letting the mail through.

This bug is about spamming users with unwanted confirmation mails. I guess from the title it's also about DoSing our server(s) (incoming web/outgoing mail) because there's no rate limiting.
Status: RESOLVED → REOPENED
Component: Other → Newsletters
Ever confirmed: true
Flags: sec-bounty- → sec-bounty?
Product: Websites → www.mozilla.org
Resolution: DUPLICATE → ---
For example, bug 1001153 is presented differently but it basically means the same thing

Comment 4

2 years ago
Thank you Suman and :dveditz.  This is an unfortunate side-effect of our current email opt-in setup.

We are in the midst of re-architecting our email infrastructure set to go live end of June. We are working on a feature to prevent this type of abuse from happening.


There's the user story we're using for development:

As the Admin of the CRM program at Mozilla, I want for our system to prevent someone from getting the same email 5 times in 5 minutes, so that I can stop the email address in question from being spammed and prevent deliverability issues.


Acceptance criteria:
I can submit the same email to the email signup form more than 5 times in 5 minutes, and only receive the email 5 times.


We'll track the progress of this feature in this bug.

Please let me know if you have any questions.

Thank you.
(Reporter)

Comment 5

2 years ago
What if attacker is automating new emails and not the same email? Implementing Captccha is the best solution.IP restriction is also recommended. -Regards Suman
(Reporter)

Comment 6

2 years ago
Any further update on this? Gone through bug 1001153 ,
bug 1271414 is not related to CSRF. bug 1001153 and bug 1271414 are totally different GAPS..
Denial of Service bugs are not covered by our bug bounty program.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.