bugzilla user profile page discloses email address and lots of other info
Categories
(Websites :: Other, defect)
Tracking
(Not tracked)
People
(Reporter: ranj3et, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
Hello Team,
Vulnerability Description : I have found an endpoint that is disclosing all user email address and lots of other information.
Vulnerable Endpoint : https://bugzilla.mozilla.org/user_profile?user_id=***
Steps to reproduce :
- Login into your account " https://bugzilla.mozilla.org "
- Then visit this endpoint and change id parameter ' https://bugzilla.mozilla.org/user_profile?user_id=* '
- In search parameter you will find email address.
See poc image enclosed in attachment.
Thank You
Hi Ranjeet, this is the intended behavior for the user profile page. Developers and other BMO users share their email addresses on mailing lists and elsewhere, so we do not consider them private information.
Thanks for the report!
Hello team! Although the bug was not accepted and marked as "intended behavior", from what I see it received a silent fix. However, your fix doesn't fully eliminate the bug. I will not try to report the issue since it'll also be marked as "Informative".
Comment 9•3 years ago
•
|
||
Hello,
I don't believe any changes happened due to this report. Why do you think there was a silent fix for the issue?
As mentioned in comment 1 as well as on Bugzilla when you create an account, https://bugzilla.mozilla.org/createaccount.cgi:
Bugzilla is a public place. Your comments and other activities on bugs will generally be publicly visible, and your email address will be accessible through public APIs and will be visible to all logged-in users of Bugzilla.
Thanks,
Frida
Updated•5 months ago
|
Description
•