Closed
Bug 1430735
Opened 6 years ago
Closed 11 months ago
Mozilla Login panel Brute force (no lockout)
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: topsykrette.he, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180103231032 Steps to reproduce: PLEASE WATCH VIDEO POC FIRST https://support.mozilla.org/en-US/users/login site is vulnerable to bruteforce login attack FOR STEPS OF REPRODUCTION PLEASE WATCH VIDEO POC:https://youtu.be/xMSO-4gbwGw Actual results: https://support.mozilla.org/en-US/users/login Here The login page has no rate limit of login attempts so brute force is happening Account takeover by brute forcing can be happen By using burp suite, tried bruteforce login for more than 1000 times, but it seems to send request continuously,There is no ratelimit applied. STILL I CAN TRY 100000000+ AND SO ON. Expected results: PAGE should lock or block the attacker or set a recapcha on login page to terminate the brute force
Updated•6 years ago
|
Severity: normal → major
Status: UNCONFIRMED → NEW
Component: Your Web → Other
Ever confirmed: true
Updated•6 years ago
|
Component: Other → General
Product: Websites → support.mozilla.org
Comment 1•6 years ago
|
||
madalina, does this need a security review?
Comment 2•6 years ago
|
||
HERE I DESCRIBE 2 THING 1) No lock or block after too many try 2) user account credentials (password and user name) can be know by brute forcing due to no rate limiting Thank you.
Comment 3•6 years ago
|
||
Code changed tracked in issue https://github.com/mozilla/kitsune/issues/3018
Reporter | ||
Comment 4•6 years ago
|
||
sorry sir to question... but em confused about the status of my bug
Comment 5•6 years ago
|
||
Dpak, you successfully filed your bug, it's a valid bug and we acknowledge it. We will fix in the future weeks. Thank you
Reporter | ||
Comment 6•6 years ago
|
||
HELLO SIR. Thanks for the quick response. I have question about monetary reward (bounty) please can you ask me sir about my bug.
Comment 7•6 years ago
|
||
Dipak, bug bounty submissions need to be filed using the method described on this page: https://www.mozilla.org/en-US/security/bug-bounty/ Make sure to reference this bug. This will get your bug in front of the right folks who can decide if this bug qualifies.
Flags: needinfo?(mana)
Reporter | ||
Comment 8•6 years ago
|
||
so I have to file this bug here https://bugzilla.mozilla.org/form.web.bounty ? as sir glorgos asked: Dpak, you successfully filed your bug, it's a valid bug and we acknowledge it. We will fix in the future weeks. Thank you so according to this its valid bug and how will I get bounty :) Best Regards
Comment 9•6 years ago
|
||
I want to be very clear, no one in this bug is involved in the bug bounty program so we can not say yes or no to your question. Our bug bounty program has specific criteria. Just because a bug is "valid" does not mean it meets the criteria. Your next course of action is to file a bug using the form, your request will then be evaluated by the right people.
Comment 11•11 months ago
|
||
I don't think that this issue is still valid, we are using FxA to sign in to SUMO now.
I'm closing this as WORKSFORME. Please feel free to change the resolution accordingly or re-open if you consider that this issue is still valid.
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•