Lack of password confirmation when deleting your account.
Categories
(bugzilla.mozilla.org :: General, enhancement, P1)
Tracking
()
People
(Reporter: zakebenjwal, Assigned: dkl)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
1> login and go to your pofile page and click on disable account .
2> now click on i acknowledge and click on disable account.
Actual results:
Vulnerbility: Account removal without password confirmation.
The removal of account is one of the sensitive part of a web application that needs to protect, therefore removing an account should validate the authenticity of the legitimate user.
Impact: When some forget to logout from the account in a publc computer, anyone can delete your account in just one simple click.
Scenario:
The user logins to a shared computer (office, library, cafe)
Left the account open or is a public computer.
Intruder came and try to delete the users account
Intruder can easily delete the account because the system did not protect it by asking the password to validate that the person deleting the account is the legitimate user.
Fix: Put reauthentication when anyone/user is deleting an account, ask the user to input password before the completion of the account deletion.
POC: a demo video attached
Expected results:
when you try to delete your account it should ask you for your password before deleting it.
|
Reporter | |
Comment 1•5 years ago
|
||
anyone here?? why all of my bugs are still unconfirmed?? weird bug bounty program.
|
|
Reporter | |
Comment 2•5 years ago
|
||
so how do i mark it for bounty consideration??
|
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 3•5 years ago
|
||
:dkl as this has been flagged as an enhancement can it be made public?
|
Assignee | |
Comment 4•5 years ago
|
||
(In reply to Simon Bennetts [:psiinon] from comment #3)
:dkl as this has been flagged as an enhancement can it be made public?
Yeah this is an enhancement so we can open it up. Will try to work on this soon.
|
|
Reporter | |
Comment 5•5 years ago
|
||
hey...thank you...i am getting bounty this time right?
|
|
Reporter | |
Comment 6•5 years ago
|
||
hey...when i am getting my bounty??? can anyone tell me?
|
|
||
Comment 7•5 years ago
|
||
The bounty committee typically meets once a week on Mondays to review the bounty bugs.
The bounty payments are detailed on https://www.mozilla.org/en-US/security/web-bug-bounty/#payouts-section
As this bug has been categorized as an enhancement rather than a security issue it is unlikely to warrant a payout.
|
|
Reporter | |
Comment 8•5 years ago
|
||
enhancement?? deleting your account without confirmation is a bug..you can check other bounty platforms vrt rating or i can show you proof of getting bounties.
also this bug is rewardable according to the bounty brief....see this
Significant actions only, such as changing email/passwords, deleting accounts, etc.
you added sessions do not expire on 2fa activation as an enhancement that bug recieved $2500 on hackerone but it is a enhancement so but this bug is a defect in your system.
every web application have that security...and bugzilla should implement it too because there are so many people who can lose all their stats and data if their account get deleted.
thank you.
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 9•5 years ago
|
||
why not?? its in bounty brief...and this bug is a security issue man...user can lose all his data in 2 seconds...i have got bounties for such bug...i have reported 2fa bypass and that is also a bug but is a enhancement i agree to that...but this is a security issue because the impact is high...losing all your data in 2 seconds is a security risk man.
can you please see bounty brief for this program???
|
|
Reporter | |
Comment 10•5 years ago
|
||
if this is the case i am not going to report any other issues on this bug bounty program...where you dont get paid for any of the valid issues you submit....you can see my bug history i have submitted all valid bugs and they all got resolved but no bounty in the name of enhancement...if its a enhancement why is it a security issue in other bug bounty platforms??? I see some employees who have 20 years old account on this site and deleting such account is a very risky ....this is insane if you dont pay bounty to valid bugs.
|
|
Reporter | |
Updated•5 years ago
|
|
|
||
Comment 11•5 years ago
|
||
Karann: To start, I would ask that you familiarize yourself with our Bug Etiquette (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html) and Community Participation Guidelines (https://www.mozilla.org/en-US/about/governance/policies/participation/) when communicating on this platform. Additionally, just because another bug bounty program awards a bounty for a specific bug class, it doesn't mean that we have an obligation to do the same. Our eligible bug classes are clearly documented here (https://www.mozilla.org/en-US/security/web-bug-bounty/) and I would ask that you familiarize yourself with them if you are looking for eligible bounties.
To add further justification here, as I did in bug 1578144, this issue was classified as an enhancement because it doesn't contain an initial vector of attack beyond the presumption of full session compromise. Although we want to offer users as much agency as possible, the panel concluded that the impact of this issue does not warrant a bounty. That said, we do think it should operate as proposed and we hope to offer that behavior in the future.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 12•5 years ago
|
||
|
|
Assignee | |
Comment 13•5 years ago
|
||
Merged to master.
Description
•