Delete email without confirming by password

RESOLVED WONTFIX

Status

addons.mozilla.org
Security
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: Muhammad Amr Nasef, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
When deleting the account by this link
https://addons.mozilla.org/en-US/firefox/users/delete

The application didn't ask for password but asks for email which is in placeholder attribute so if the user left his account someone could delete his account easily.

Solution: add confirming with password.

Best,
Muhammad Nasef (C4U53)
As we recently migrated to Firefox Accounts, addons.mozilla.org does not store passwords any longer. We cannot ask for confirmation using your password because we don't have it anymore.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
Group: client-services-security
(Reporter)

Comment 2

2 years ago
But this will cause the same problem in Firefox Accounts !
Because If the account was deleted from the addons then It'll be deleted from Firefox Accounts.
So can't you use sort of verification which redirect user o firefox accounts which confirm deleting by password ?
(Reporter)

Comment 3

2 years ago
If Firefox Accounts ask for password in deleting account but addons doesn't then there is need for this in firefox accounts because the attacker could use addons to delete Firefox accounts.
Deleting your account on addons.mozilla.org does not delete it from Firefox Accounts.
(Reporter)

Comment 5

2 years ago
(In reply to Mark Striemer [:mstriemer] from comment #4)
> Deleting your account on addons.mozilla.org does not delete it from Firefox
> Accounts.

Excuse me but at the end the attacker could delete the addons account of the victim so there is a lot of solutions you could implement in this case.
You need to log in before you can comment on or make changes to this bug.