Closed
Bug 1364705
Opened 8 years ago
Closed 8 years ago
Issue in login functionality in *.taskcluster.net
Categories
(Websites :: Other, enhancement)
Websites
Other
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: gopiengg, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
|
33.26 KB,
image/png
|
Details |
auth force Burp.PNG
Issue in login functionality in *.taskcluster.net
User can login using email through the site, when his Email id is not verified already. https://login.taskcluster.net/auth0/login-local
Where Attacker enter his email id to login.
Once attacker enter his email id he would get the code to login
"An email with the code has been sent to attacker@gmail.com."
Once the attacker gets the 6 digit code to his mail id.
Below would be the POST request
<html>
<body>
<form action="https://auth.mozilla.auth0.com/passwordless/verify" method="POST">
<input type="hidden" name="connection" value="email" />
<input type="hidden" name="email" value="attacker@gmail.com" />
<input type="hidden" name="verification_code" value="820295" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
He can enter the code in the page .Once the code authenticated successfully, the request would forward to similar to the below url
https://auth.mozilla.auth0.com/passwordless/verify_redirect?scope=openid&response_type=code&email=gopiengg%40gmail.com&sso=true&connection=email&verification_code=196312&client_id=1db5KNoLN5rLZukvLouWwVouPkbztyso&redirect_uri=https%3A%2F%2Flogin.taskcluster.net%2Fauth0%2Fcallback&auth0Client=<REDACTED>
But using interceptor tools like BURP ,the response of the above request can be dropped by the attacker.Attacker can use the above url to make victim to login to his(Attackers) account.
If any victim clicks of visits any trusted page which have above link will be directly logged in to attackers account..
Impact:
By forcing the victim to login to attacker account, victim will not aware that is he is working in attackers taskcluster account.Whatever victim adding/updating cn be tracked by attacker later.
Flags: sec-bounty?
|
||
Comment 2•8 years ago
|
||
gopiengg: thanks for your report on this, let me see if I can summarize the issues you're describing...
1.) Any can login to taskcluster and thus obtain the Auth0 client ID (I believe to be known and probably an acceptable outcome because it's an app specific code)
2.) Once you have the Auth0 client ID you can craft a URL with the necessary secrets to convince a victim to authenticate to the attackers account and then the victim would unknowingly operate in the attackers account potentially allowing the attacker to see what they are doing? (this seems a little far fetched, but in essence this is how passwordless auth works, so I'm inclined to call this as works as expected)
|
|
||
Comment 3•8 years ago
|
||
garndt/dustin: Is it your expectation that any user can login to taskcluster? (literally anyone with an email address)
Flags: needinfo?(garndt)
Flags: needinfo?(dustin)
|
|
||
Comment 5•8 years ago
|
||
Since #1 is expected and #2 above is also expected I'm going to mark this bug as WONTFIX.
gopiengg: thanks again for the submission, we look forward to more submissions from you.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Comment 6•8 years ago
|
||
Lifting security flag, as this does not appear to be security sensitive.
Group: websites-security
|
||
Updated•11 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•