Closed Bug 1430735 Opened 6 years ago Closed 11 months ago

Mozilla Login panel Brute force (no lockout)

Categories

(support.mozilla.org :: General, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: topsykrette.he, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180103231032

Steps to reproduce:

PLEASE WATCH VIDEO POC FIRST 

https://support.mozilla.org/en-US/users/login  site is vulnerable to bruteforce login attack

FOR STEPS OF REPRODUCTION PLEASE WATCH VIDEO POC:https://youtu.be/xMSO-4gbwGw


Actual results:

https://support.mozilla.org/en-US/users/login

Here The login page has no rate limit of login attempts so brute force is happening 
Account takeover by brute forcing can be happen 

By using burp suite, tried  bruteforce login for more  than 1000 times, but it seems to send request continuously,There is no ratelimit applied.


STILL I CAN TRY 100000000+ 
 
AND SO ON.


Expected results:

PAGE should lock or block the attacker or set a recapcha on login page to terminate the brute force
Severity: normal → major
Status: UNCONFIRMED → NEW
Component: Your Web → Other
Ever confirmed: true
Component: Other → General
Product: Websites → support.mozilla.org
madalina, does this need a security review?
Flags: needinfo?(mana)
See Also: → 951267, 971000
HERE I DESCRIBE 2 THING 

1) No lock or block after too many try

2) user account credentials (password and user name) can be know by brute forcing due to no rate limiting 

Thank you.
sorry sir to question... but em confused about the  status of my bug
Dpak, you successfully filed your bug, it's a valid bug and we acknowledge it. We will fix in the future weeks. Thank you
HELLO SIR.

Thanks for the quick response.

I have question about monetary reward (bounty) please can you ask me sir about my bug.
Dipak, bug bounty submissions need to be filed using the method described on this page:

https://www.mozilla.org/en-US/security/bug-bounty/

Make sure to reference this bug. This will get your bug in front of the right folks who can decide if this bug qualifies.
Flags: needinfo?(mana)
so I have to file this bug here https://bugzilla.mozilla.org/form.web.bounty ?


as sir glorgos asked: Dpak, you successfully filed your bug, it's a valid bug and we acknowledge it. We will fix in the future weeks. Thank you


so according to this  its valid bug and how will I get bounty :)


Best Regards
I want to be very clear, no one in this bug is involved in the bug bounty program so we can not say yes or no to your question. 

Our bug bounty program has specific criteria. Just because a bug is "valid" does not mean it meets the criteria. Your next course of action is to file a bug using the form, your request will then be evaluated by the right people.

I don't think that this issue is still valid, we are using FxA to sign in to SUMO now.

I'm closing this as WORKSFORME. Please feel free to change the resolution accordingly or re-open if you consider that this issue is still valid.

Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.