Deleted account still accessible on https://addons.mozilla.org

RESOLVED WONTFIX

Status

Websites
Other
P1
critical
RESOLVED WONTFIX
11 months ago
11 months ago

People

(Reporter: aniketk, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

(Reporter)

Description

11 months ago
Deleted addons account still accessible.

Steps to reproduce:
1. Register for an account on https://addons.mozilla.org
2. Login with registered account on https://addons.mozilla.org.
3. In Account Settings -> Click 'Delete Account' at bottom, near 'Update Account'
4. After this, you will be taken to confirmation page, which says -

By clicking "delete" your account is going to be permanently removed. That means:

    You will not be able to log into addons.mozilla.org anymore.
    Your reviews and ratings will not be deleted, but they will no longer be associated with you.

5. Enter your registered email & check the checkbox which says ' I understand this step cannot be undone. '
6. Click 'Delete my user account now'
7. A confirmation message will be displayed, 'Profile Deleted '

8. Try to relogin with the registered credentials. You will be able to login.

Looks like some logical flaw.
Flags: sec-bounty?
(Reporter)

Updated

11 months ago
Severity: normal → critical
Priority: -- → P1

Comment 1

11 months ago
Hi Aniket, thanks for the report! 

Firefox Accounts (FxA) provides identity for addons.mozilla.org (AMO), so when an AMO account is deleted the FxA account still exists and it's still possible to log in to FxA.

You'll notice that if you set a profile name after logging in at step 2. it isn't present after logging back in on step 8. since the profile was deleted.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → WONTFIX
See Also: → bug 961775

Updated

11 months ago
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.