Brute Force Attack - Email Enumeration Attack to find Valid User

RESOLVED INVALID

Status

()

bugzilla.mozilla.org
General
RESOLVED INVALID
9 months ago
9 months ago

People

(Reporter: Suyog Palav, Unassigned)

Tracking

Production

Details

(Reporter)

Description

9 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170627155318

Steps to reproduce:

Proof of Concept :

   1. Go To :- https://bugzilla.mozilla.org/createaccount.cgi

   2. Enter the - Email Address   (for Create New Account)

   3. Click on Checkbox and press the "Create Account" button.

   4. Capture this Request
 
   5. Configure the position where payloads will be inserted  (Position : email Address)
     
   6. So, lets  Start Sniper Attack.

   7. Now,  check the response in Browser.


#Video POC are Attached for more Information. : https://drive.google.com/open?id=0B0fAyQvEfvHtUjBHN216N29qejg


Actual results:

Check Response in Browser :
  
       - There is already an account with the login name example@gmail.com. 

          i.e. Email Addresses are successfully findout for Valid User.


Expected results:

Respected Bugzilla Security Team,

Hi,
I found Vulnerability on your website. The details of the Vulnerability are as follows.

#Vulnerability Title :  Brute Force Attack - Email Enumeration Attack to find Valid User

#Vulnerable Domain : https://bugzilla.mozilla.org/createaccount.cgi

#Severity : HIGH


#Description :
               - Findout Valid email addresses that already have a Bugzilla account.
               - This Email-Subscription page doesn't have any protection against Brute-force attacks and Email Enumeration.


#Impact :
         - Brute-force attack is exists on this page.
         - Attacker findout which user exist on bugzilla.mozilla Account.


# Recommendation :         
          - It's recommended to implement some type of lockout after a defined number of email's attempts.
          - After trying valid email attack, server give you an error like :
The email you entered did not match our records. Please double-check and try again.
Group: firefox-core-security → bugzilla-security
Component: Untriaged → General
Product: Firefox → bugzilla.mozilla.org
Version: 52 Branch → Production
(Reporter)

Comment 1

9 months ago
Respected bugzilla.mozilla Security Team,

Hi,
any updates..?

Regards,
Suyog Palav
Any logged in user can go to https://bugzilla.mozilla.org/user_profile and type in the user auto completion field to find other valid email addresses. 

Any thoughts, :claudijd?
Flags: needinfo?(jclaudius)
(Reporter)

Comment 3

9 months ago
any updates...
(Reporter)

Comment 4

9 months ago
any updates...

Comment 5

9 months ago
Thank you for your report, but as mentioned by :dylan, this is a feature of the bugzilla platform and not a security bug.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → INVALID
Sorry I missed the NI, was over a weekend and I had a family medical emergency yesterday.  I'm not concerned about the auto-complete, I believe the presumption of the BMO security model is that you're not using shared devices.
Flags: needinfo?(jclaudius)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #6)
> Sorry I missed the NI, was over a weekend and I had a family medical
> emergency yesterday.  I'm not concerned about the auto-complete, I believe
> the presumption of the BMO security model is that you're not using shared
> devices.

I mispoke in my haste to get caught up with bug mail today.  s/auto-complete/enumeration/ the above statement.
You need to log in before you can comment on or make changes to this bug.