Closed Bug 1431638 Opened 8 years ago Closed 8 years ago

Mozilla Login panel Brute force (no lockout)

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1430735

People

(Reporter: dipakprajapati803, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

I REPORTED THIS ISSUE ON : https://bugzilla.mozilla.org/show_bug.cgi?id=1430735 PLEASE READ THIS UPPER LINK THE RESPONSIBLE PEOPLE SEND IT TO UNDER REMEDIATION : Code changed tracked in issue https://github.com/mozilla/kitsune/issues/3018 THEY ASK ME TO GET BOUNTY SUBMIT THIS BUG AGAIN ON "THIS FORM" ================================== SAME REPORT ================================== Steps to reproduce: PLEASE WATCH VIDEO POC FIRST https://support.mozilla.org/en-US/users/login site is vulnerable to bruteforce login attack FOR STEPS OF REPRODUCTION PLEASE WATCH VIDEO POC:https://youtu.be/xMSO-4gbwGw Actual results: https://support.mozilla.org/en-US/users/login Here The login page has no rate limit of login attempts so brute force is happening Account takeover by brute forcing can be happen By using burp suite, tried bruteforce login for more than 1000 times, but it seems to send request continuously,There is no ratelimit applied. STILL I CAN TRY 100000000+ AND SO ON. Expected results: PAGE should lock or block the attacker or set a recapcha on login page to terminate the brute force
Flags: sec-bounty?
support.mozilla.org is not part of our bug bounty program, and bugs related to rate limiting are explicitly excluded from our bug bounty program. For the list of eligible sites, see: https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/ And for the classes of bugs that accepted: https://www.mozilla.org/en-US/security/web-bug-bounty/ Nevertheless, we thank you for bringing this bug to our attention.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
Resolution: --- → DUPLICATE
I didn't understand my report get resolve and team give me GitHub link to track issue and ask me to report on this form and then bugzilla ask me your report is duplicate. is it fair ? and not even a HOF but bug going to resolve see: https://github.com/mozilla/kitsune/issues/3018
And sir it's not rate limiting by this attacker can enumerate password and usernameof firefox user it's not matter that the login page is on support page
Normally it wouldn't be marked duplicate, but since it's not a security issue, I marked it duplicate to save on confusion. Network-based brute forcing attacks on passwords are not considered part of the bounty program because quite frankly our infrastructure (and most infrastructure) isn't remotely fast enough to make it feasible. A password such as "YVdstfotPG7r" would take approximately a half a billion centuries to brute force on average. Even at half that length, you're talking about 8 months and 1000 guesses per second would be noticed almost immediately, on account of it crashing our infrastructure. Also, I am not a "sir".
so can I get HOF only :)
if mozilla is resolving https://github.com/mozilla/kitsune/issues/3018
If it was eligible for the hall-of-fame, it would be marked as such on our bug bounty page. If every bug we fixed ended up on the hall of fame, it would be approximately 1.4 million entries long.
You need to log in before you can comment on or make changes to this bug.