Please report any other irregularities here.
Created attachment 8844000 [details] Email Enumeration 2.png User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/45.1 Build ID: 20160507231935 Steps to reproduce: When you try to login to you firefox account in https://accounts.firefox.com/signin?context=web There is a error message when you put a invalid email "Unknown account. Sign up" which help attackers to enumerate emails; When you put a valid email it appears an other message that demand the correct password, so it will easy to enumerate valid emails for password bruteforce attack or dictionnary attack Actual results: When you put a valid email it appears an other message "Incorrect password. To double-check what you've entered, press and hold down the Show button." that demands the correct password, so it will easy to enumerate valid emails for password bruteforce attack or dictionnary attack Expected results: Hide the message and use an other form message when the credentials are bad for example: Ivalid email or password Bad credentials
Component: Firefox Start → Server: Firefox Accounts
Product: Websites → Cloud Services
Thanks for the report Loudiyi! I get a 400 http status code with errno 102 with message "Unknown account" for an unregistered email address and a 400 with errno 103 with message "Incorrect password" for an existing account. relevant OWASP page: https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) I assigned this sec-low since it's an email disclosure mitigated by the customs server rate limiting requests by IP and we previously decided in https://bugzilla.mozilla.org/show_bug.cgi?id=1190108 that the UX benefit of benefit of differentiating between known and unknown email addresses outweighs the risk from email enumeration. :rfkelly or :vladikoff can you confirm that https://api.accounts.firefox.com/v1/account/login is rate-limited and enumeration is possible by design?
Assignee: nobody → rfkelly
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low, wsec-disclosure
> can you confirm that https://api.accounts.firefox.com/v1/account/login is rate-limited and enumeration is possible by design? Yes. All endpoints that can return info about whether a particular account exists are rate-limited to prevent large-scale enumeration. (Or at least, they *should* be - if we have evidence that this rate-limiting is not in place then that's definitely a bug!)
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1190108
:ulfr, does it make sense for us to open up this bug publicly, or have some other public reference to refer people to about this issue since it keeps popping up? e.g. google has a list of non-qualifying vulnerabilities on , although I imagine they still get reports of them from time to time.  https://www.google.com/about/appsecurity/reward-program/
Thanks for opening it, ulfr. I agree that it makes sense to open up frequently reported Wontfixes and Duplicates.
You need to log in before you can comment on or make changes to this bug.