User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170627155318 Steps to reproduce: Proof of Concept : 1. Go To :- https://bugzilla.mozilla.org/createaccount.cgi 2. Enter the - Email Address (for Create New Account) 3. Click on Checkbox and press the "Create Account" button. 4. Capture this Request 5. Configure the position where payloads will be inserted (Position : email Address) 6. So, lets Start Sniper Attack. 7. Now, check the response in Browser. #Video POC are Attached for more Information. : https://drive.google.com/open?id=0B0fAyQvEfvHtUjBHN216N29qejg Actual results: Check Response in Browser : - There is already an account with the login name email@example.com. i.e. Email Addresses are successfully findout for Valid User. Expected results: Respected Bugzilla Security Team, Hi, I found Vulnerability on your website. The details of the Vulnerability are as follows. #Vulnerability Title : Brute Force Attack - Email Enumeration Attack to find Valid User #Vulnerable Domain : https://bugzilla.mozilla.org/createaccount.cgi #Severity : HIGH #Description : - Findout Valid email addresses that already have a Bugzilla account. - This Email-Subscription page doesn't have any protection against Brute-force attacks and Email Enumeration. #Impact : - Brute-force attack is exists on this page. - Attacker findout which user exist on bugzilla.mozilla Account. # Recommendation : - It's recommended to implement some type of lockout after a defined number of email's attempts. - After trying valid email attack, server give you an error like : The email you entered did not match our records. Please double-check and try again.
Group: firefox-core-security → bugzilla-security
Component: Untriaged → General
Product: Firefox → bugzilla.mozilla.org
Version: 52 Branch → Production
Respected bugzilla.mozilla Security Team, Hi, any updates..? Regards, Suyog Palav
Any logged in user can go to https://bugzilla.mozilla.org/user_profile and type in the user auto completion field to find other valid email addresses. Any thoughts, :claudijd?
Thank you for your report, but as mentioned by :dylan, this is a feature of the bugzilla platform and not a security bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → INVALID
Sorry I missed the NI, was over a weekend and I had a family medical emergency yesterday. I'm not concerned about the auto-complete, I believe the presumption of the BMO security model is that you're not using shared devices.
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #6) > Sorry I missed the NI, was over a weekend and I had a family medical > emergency yesterday. I'm not concerned about the auto-complete, I believe > the presumption of the BMO security model is that you're not using shared > devices. I mispoke in my haste to get caught up with bug mail today. s/auto-complete/enumeration/ the above statement.
You need to log in before you can comment on or make changes to this bug.