visible e-mails
Categories
(Toolkit :: Blocklist Implementation, defect)
Tracking
()
People
(Reporter: merex1313, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Steps to reproduce:
1.go to https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/70.0.1/Firefox/20191030021342/WINNT_x86_64-msvc/en-US/release/Windows_NT%2010.0/default/default/14/17/1
2.you will see blocked e-mails are visible
Actual results:
i was pentestin some other websites with burp suite it alarmed me e-mail adresses disclose when i go to the https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/70.0.1/Firefox/20191030021342/WINNT_x86_64-msvc/en-US/release/Windows_NT%2010.0/default/default/14/17/1 i see some blocked list
Expected results:
e-mail adresses shouldn't be visible for regular users.
|
||
Comment 1•5 years ago
|
||
That appears to be derived from this file, and I expect it is intentional that it is publicly visible:
https://searchfox.org/mozilla-central/source/browser/app/blocklist.xml
It is related to the block listing of addons in Firefox.
|
||
Comment 2•5 years ago
|
||
Thank you for taking the time to report your concerns. We do appreciate it! In this case there is no private information being leaked: these aren't emails, these are extension IDs. Extension IDs are sometimes formatted as emails because they're easier to work with in that form than a string of random hex digits. See https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_specific_settings#Extension_ID_format
Description
•