Closed
Bug 1271741
Opened 9 years ago
Closed 9 years ago
"User since" field not anonymized on account delete
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: c4u53.secure, Unassigned)
Details
Addons.mozilla.org prevent the users from changing there email address but this logical bug allows me to change the email address.
This is the video of POC: https://www.youtube.com/watch?v=B4giQSb_Nvo&feature=youtu.be
Steps of exploiting
1-Open the same account , one in chrome the second in firefox
2-Make a sign in account to make sure It will be changed
3-Delete the account from one browser,Now it's deleted
4-Refresh the other browser
5-You can now change your email address
6-Now you have changed your email address
7-Confirm the email
8-It's changed
Best,
Muhammad Nasef (C4U53)
|
Reporter | |
Comment 1•9 years ago
|
||
And as scenario imagine this:
A hacker hacked someone email now If your email was hacked what will you do ?
You will use password reset which works with email but If the email was changed now the user can't retrieve his hacked email
|
|
Reporter | |
Updated•9 years ago
|
Severity: major → critical
|
|
Reporter | |
Comment 2•9 years ago
|
||
From now and on the attacker could change his email the number of times he wants !
And this is the vulnerability
|
|
Reporter | |
Comment 3•9 years ago
|
||
:kthiessen I am sorry but is this the right section to post this vulnerability or should I report it in Websites section ?
|
||
Comment 4•9 years ago
|
||
Thanks for the report. Not a bug - notice the account name says 'Anonymous-somechars?"
The account data is deleted and the name is changed to anonymous-something.
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 5•9 years ago
|
||
(In reply to Adam Muntner [:adamm] (use NEEDINFO) from comment #4)
> Thanks for the report. Not a bug - notice the account name says
> 'Anonymous-somechars?"
>
> The account data is deleted and the name is changed to anonymous-something.
From this prespitve you are right as I tested but this is one of two problems
The other problem which I found that the addons website prevent changing email so I could make an email and do the steps which in video so whatever i want to change my email address I could although addons website prevent users from changing emails.
You could notice that after the account deleted and I notice the account name says 'Anonymous-somechars?" now I could edit the email whatever I want so it's bypass to this control.
|
|
Reporter | |
Comment 6•9 years ago
|
||
(In reply to Adam Muntner [:adamm] (use NEEDINFO) from comment #4)
> Thanks for the report. Not a bug - notice the account name says
> 'Anonymous-somechars?"
>
> The account data is deleted and the name is changed to anonymous-something.
I retested the first problem again which is change the account email and I found that there is a problem in your words
you are right that anonymous somechars but what you didn't noticed that not all data deleted as you could see in the video which i typed "sign in" and another prove that this is the account and not another is "User since" part in About me you will see it wont be changed after the exploiting so it's the same account without only the picture and username and email but with other data and same accout as i said by proving by field "User since".
And I am sorry at first when i told you "From this presbictve you are right as I tested but this is one of two problems" because I didn't noticed what I told you now so this is issue and you have one issue which is this and other which I've mentioned in comment 5.
|
|
Reporter | |
Updated•9 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
||
Comment 7•9 years ago
|
||
Adam, would you mind re-checking according to comment 6? Thanks!
Flags: needinfo?(amuntner)
|
|
||
Comment 8•9 years ago
|
||
#5 "You could notice that after the account deleted and I notice the account name says 'Anonymous-somechars?" now I could edit the email whatever I want so it's bypass to this control."
It's not intended functionality but it's not a security bug, either. I'm not certain that that there was a conscious design decision about changing usernames or not, but even if it was there is no security impact.
If "user since" is still carried and wasn't deleted that's interesting but it's a functional bug, I don't see any security or privacy impact given that the profile was anonymized of identifying user data. If I'm wrong, you're welcome to needinfo me and describe the attack.
Severity: critical → normal
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago → 9 years ago
Flags: needinfo?(amuntner)
Resolution: --- → FIXED
Summary: Logic bug allows me to change email although the website doesn't allow this. → "User since" field not anonymized on account delete
|
|
||
Comment 9•9 years ago
|
||
Andreas, i adjusted the bug title to reflect the functional bug.
Needinfo so you see this and can track the functional defect on Github as an issue
Flags: needinfo?(awagner)
|
|
Reporter | |
Comment 10•9 years ago
|
||
I doubt that you didn't understand me,
User since is just an indicator that this is the addon email which we intended to change it's email
and another indicator is about me in details which i wrote in it in the video "Sign for this is my email"
So It's just indicator!
About the security impact of changing email,
Now imagine user account is hacked, how could he restore his account if the email which is the only factor that user could use to reset his password is changed !
and I disagree with you in "It's not intended functionality" because I think that the reason which I've mentioned above is the reason which the website refuse to make me change my email.
And for this reason I think it's a security bug !
Status: RESOLVED → UNCONFIRMED
Flags: needinfo?(amuntner)
Resolution: FIXED → ---
|
|
Reporter | |
Updated•9 years ago
|
Summary: "User since" field not anonymized on account delete → Logic bug allows attacker to change email although the website doesn't allow this
|
|
||
Comment 11•9 years ago
|
||
Do not change the subject or bug status.
If the user account is hacked, the attacker could also delete the user account in which case the user would have to create a new account, hopefully with a different password.
A users shouldn't trust any addons in their account in case the attacker tampered with them in some way, replacing addons with links to poisoned ones. Prob best to delete a recovered account and make a new one.
None of these things put the user or sensitive personal information at any risk.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → WONTFIX
Summary: Logic bug allows attacker to change email although the website doesn't allow this → "User since" field not anonymized on account delete
|
|
||
Comment 12•9 years ago
|
||
Flags: needinfo?(awagner)
You need to log in
before you can comment on or make changes to this bug.
Description
•