Deleted account still accessible on https://addons.mozilla.org

RESOLVED WONTFIX

Status

P1
critical
RESOLVED WONTFIX
a year ago
a year ago

People

(Reporter: aniketk, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

(Reporter)

Description

a year ago
Deleted addons account still accessible.

Steps to reproduce:
1. Register for an account on https://addons.mozilla.org
2. Login with registered account on https://addons.mozilla.org.
3. In Account Settings -> Click 'Delete Account' at bottom, near 'Update Account'
4. After this, you will be taken to confirmation page, which says -

By clicking "delete" your account is going to be permanently removed. That means:

    You will not be able to log into addons.mozilla.org anymore.
    Your reviews and ratings will not be deleted, but they will no longer be associated with you.

5. Enter your registered email & check the checkbox which says ' I understand this step cannot be undone. '
6. Click 'Delete my user account now'
7. A confirmation message will be displayed, 'Profile Deleted '

8. Try to relogin with the registered credentials. You will be able to login.

Looks like some logical flaw.
Flags: sec-bounty?
(Reporter)

Updated

a year ago
Severity: normal → critical
Priority: -- → P1
Hi Aniket, thanks for the report! 

Firefox Accounts (FxA) provides identity for addons.mozilla.org (AMO), so when an AMO account is deleted the FxA account still exists and it's still possible to log in to FxA.

You'll notice that if you set a profile name after logging in at step 2. it isn't present after logging back in on step 8. since the profile was deleted.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
See Also: → bug 961775
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.