bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Status

Cloud Services
Server: Firefox Accounts
RESOLVED DUPLICATE of bug 1190108
a year ago
a year ago

People

(Reporter: LOUDIYI, Assigned: rfkelly)

Tracking

({sec-low, wsec-disclosure})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8844000 [details]
Email Enumeration 2.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/45.1
Build ID: 20160507231935

Steps to reproduce:

When you try to login to you firefox account in https://accounts.firefox.com/signin?context=web
There is a error message when you put a invalid email "Unknown account. Sign up" which help attackers to enumerate emails;
When you put a valid email it appears an other message that demand the correct password, so it will easy to enumerate valid emails for password bruteforce attack or dictionnary attack


Actual results:

When you put a valid email it appears an other message "Incorrect password. To double-check what you've entered, press and hold down the Show button." that demands the correct password, so it will easy to enumerate valid emails for password bruteforce attack or dictionnary attack


Expected results:

Hide the message and use an other form message when the credentials are bad for example:
Ivalid email or password
Bad credentials

Updated

a year ago
Component: Firefox Start → Server: Firefox Accounts
Product: Websites → Cloud Services

Comment 1

a year ago
Thanks for the report Loudiyi!

I get a 400 http status code with errno 102 with message "Unknown account" for an unregistered email address and a 400 with errno 103 with message "Incorrect password" for an existing account.

relevant OWASP page: https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

I assigned this sec-low since it's an email disclosure mitigated by the customs server rate limiting requests by IP and we previously decided in https://bugzilla.mozilla.org/show_bug.cgi?id=1190108 that the UX benefit of benefit of differentiating between known and unknown email addresses outweighs the risk from email enumeration.

:rfkelly or :vladikoff can you confirm that https://api.accounts.firefox.com/v1/account/login is rate-limited and enumeration is possible by design?
Assignee: nobody → rfkelly
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(vlad)
Flags: needinfo?(rfkelly)
Keywords: sec-low, wsec-disclosure
(Assignee)

Comment 2

a year ago
> can you confirm that https://api.accounts.firefox.com/v1/account/login is rate-limited and enumeration is possible by design?

Yes.  All endpoints that can return info about whether a particular account exists are rate-limited to prevent large-scale enumeration.  (Or at least, they *should* be - if we have evidence that this rate-limiting is not in place then that's definitely a bug!)
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(rfkelly)
Resolution: --- → DUPLICATE
Duplicate of bug: 1190108

Updated

a year ago
Flags: needinfo?(vlad)

Updated

a year ago
Duplicate of this bug: 1347253
Duplicate of this bug: 1368301
(Assignee)

Comment 5

a year ago
:ulfr, does it make sense for us to open up this bug publicly, or have some other public reference to refer people to about this issue since it keeps popping up?  e.g. google has a list of non-qualifying vulnerabilities on [1], although I imagine they still get reports of them from time to time.

[1] https://www.google.com/about/appsecurity/reward-program/
Flags: needinfo?(jvehent)
Group: websites-security
Thanks for opening it, ulfr. I agree that it makes sense to open up frequently reported Wontfixes and Duplicates.
Flags: needinfo?(jvehent)
You need to log in before you can comment on or make changes to this bug.