Closed Bug 1393851 Opened 8 years ago Closed 5 years ago

[lift] Existence of Private Collections Leaked Via HTTP Status Code

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: u600423, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36 Steps to reproduce: ## Overview: It is possible to determine the existence of a private collection based on the HTTP status code that is returned. TODO: We should talk about this and see if there are any other areas of the application in which we should try and leak existence of things. - maybe abuse reports for a specific user or add-on? Steps to reproduce: 1. Create a collection with Account A 2. Copy the URL to view collection 3. Logout of Account A and log back in with Account B 4. As Account B visit the URL of the collection Collection exists but user does not have access ![](https://cldup.com/wEoRQY41T0.png) If you change the collection URL to a collection that does not exist the response changes. ![](https://cldup.com/c6mTWkhf9j-3000x3000.png) ## Recommendations: We recommend returning a 404 response for private collections, whether the collection exists or not.
Summary: Existence of Private Collections Leaked Via HTTP Status Code → [lift] Existence of Private Collections Leaked Via HTTP Status Code
The existing collection pages above are being replaced with pages on addons-frontend, that are retrieved via the API. Though the API would return the same status codes, afaik. Private collections are being deprecated along the way, but existing collections will stay private for now. cc'ing jorge to decide if we need to worry about exposing private collections in the meantime.
Flags: needinfo?(jorge)
I don't think this is worth worrying about before the new front-end lands. But maybe this should be filed as a front-end bug to make sure we show the 404 in both cases?
Flags: needinfo?(jorge)
Hmm, but private collections aren't staying around long term - you dropped the property in favour of random slugs in the PRD. We just re-implemented it in the API for now because it was a complicated migration process for existing private collections and didn't want to block on it. Does a deprecated feature need to be fully secured?
It doesn't need to be fully secured, but I'm not sure for how long we'll keep the old private collections, and I think it wouldn't be too hard to show the right error message in the new front-end. If I'm wrong about that, then we can just drop it and maintain the bug until we drop all private collections.
Adding Kumar to CC for this one to make sure we don't leak the presence of private collections via status code in the new frontend as it's implemented there.
> ...make sure we don't leak the presence of private collections via status code in the new frontend as it's implemented there. We are not implementing private collections: https://docs.google.com/document/d/1DutmS8yco-hNiKJ1-0MrkAkze7Ue88xpA4b-MWx6MLI/edit So I guess this bug is just about fixing the API.
> So I guess this bug is just about fixing the API. Yes good point, it wouldn't make sense to special case something in the frontend if the API is always revealing the presence of private collections via status code. Whilst we're not implementing the option of private collections they will still need to be available to collection owners until we offer some kind of one-directional migration.

Wont-fixing on the basis this is considered a minor issue.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.