Closed Bug 1396259 Opened 7 years ago Closed 7 years ago

Deleted account still accessible on https://addons.mozilla.org

Categories

(Websites :: Other, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: aniketk, Unassigned)

References

()

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Deleted addons account still accessible. Steps to reproduce: 1. Register for an account on https://addons.mozilla.org 2. Login with registered account on https://addons.mozilla.org. 3. In Account Settings -> Click 'Delete Account' at bottom, near 'Update Account' 4. After this, you will be taken to confirmation page, which says - By clicking "delete" your account is going to be permanently removed. That means: You will not be able to log into addons.mozilla.org anymore. Your reviews and ratings will not be deleted, but they will no longer be associated with you. 5. Enter your registered email & check the checkbox which says ' I understand this step cannot be undone. ' 6. Click 'Delete my user account now' 7. A confirmation message will be displayed, 'Profile Deleted ' 8. Try to relogin with the registered credentials. You will be able to login. Looks like some logical flaw.
Flags: sec-bounty?
Severity: normal → critical
Priority: -- → P1
Hi Aniket, thanks for the report! Firefox Accounts (FxA) provides identity for addons.mozilla.org (AMO), so when an AMO account is deleted the FxA account still exists and it's still possible to log in to FxA. You'll notice that if you set a profile name after logging in at step 2. it isn't present after logging back in on step 8. since the profile was deleted.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
See Also: → 961775
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.