Closed Bug 1272068 Opened 10 years ago Closed 5 years ago

content spoofing on location.services.mozilla.com

Categories

(Location :: General, defect, P2)

Product:
Location
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: c4u53.secure, Assigned: dustin)

Details

(Keywords: reporter-external, sec-low, wsec-impersonation)

Attachments

(1 file)

Untitled.png
28.25 KB, image/png
Details
Attached image Untitled.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 Steps to reproduce: Go to this website : https://location.services.mozilla.com//For%20more%20information%20you%20could%20log%20in%20to%20our%20website%20www.evil.com Actual results: The user will think www.evil.com is from mozilla and this website could contain many things like malware or a fake website that the user will enter his email and password thinking it's the website which is vulnerable Expected results: The victim computer will be hacker or his account on mozilla website.

Looks like this got lost as it was not raised as part of the bug bounty program :/
I'll try to find the right people to look at it...

Note that this is a core site in the bug bounty program.

Flags: sec-bounty?
Keywords: sec-low, wsec-impersonation
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → ckolos
Component: Other → Operations: Location
Product: Websites → Cloud Services

so how many time to take to know that this issue is valid or not

Flags: needinfo?(c4u53.secure)

This is a valid issue.

Flags: needinfo?(c4u53.secure)

this issue for hall of fame or payout

Potentially yes, thats what the "sec-bounty?" means.
However it would apply to the initial reporter.

so my this report is for any hall of fame or bounty

This is application behavior, not infrastructure, so I'm moving it to the application bugs. Because it is sec-low and a 4-year-old bug, I'm setting priority as P2. I hope to ship a fix in 30 days.

This issue reflects the behavior of the default 404 view in Pyramid. The production behavior for an unknown URL is to set the error message to the URL path. This becomes the detail in the HTTPException base class, which is then injected into the body_template_obj template when rendering.

The solution is to implement our own not found view that doesn't repeat the request path.

Assignee: ckolos → nobody
Component: Operations: Location → General
OS: Unspecified → All
Priority: -- → P2
Product: Cloud Services → Location
Hardware: Unspecified → All
Assignee: nobody → jwhitlock
Status: NEW → ASSIGNED

Unassigning myself. I was hoping to get to this after some other (boring) work, but I haven't gotten to it, and this may be a good task for a new team member.

Assignee: jwhitlock → nobody
Status: ASSIGNED → NEW
Assignee: nobody → dustin

Merged, fixed in stage:

https://location.stage.mozaws.net//For%20more%20information%20you%20could%20log%20in%20to%20our%20website%20www.evil.com

This now returns only <h1>404 Not Found</h1>.

We'll close when it is in prod later this week.

Status: NEW → ASSIGNED

This has been deployed to prod. The original URL now returns the text "404 Not Found", and no longer suggests to log in to www.evil.com.

https://location.services.mozilla.com//For%20more%20information%20you%20could%20log%20in%20to%20our%20website%20www.evil.com

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty-

is there any hall of fame after resloved this issue

(In reply to Vivek Panday from comment #12)

is there any hall of fame after resloved this issue

We assess the issue as a sec low, there really isn't much security impact here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: