Closed Bug 1647545 Opened 4 years ago Closed 4 years ago

bugzilla user profile page discloses email address and lots of other info

Categories

(Websites :: Other, defect)

defect

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: ranj3et, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Hello Team,

Vulnerability Description : I have found an endpoint that is disclosing all user email address and lots of other information.

Vulnerable Endpoint : https://bugzilla.mozilla.org/user_profile?user_id=***

Steps to reproduce :

  1. Login into your account " https://bugzilla.mozilla.org "
  2. Then visit this endpoint and change id parameter ' https://bugzilla.mozilla.org/user_profile?user_id=* '
  3. In search parameter you will find email address.

See poc image enclosed in attachment.

Thank You

Flags: sec-bounty?

Hi Ranjeet, this is the intended behavior for the user profile page. Developers and other BMO users share their email addresses on mailing lists and elsewhere, so we do not consider them private information.

Thanks for the report!

Status: UNCONFIRMED → RESOLVED
Type: task → defect
Closed: 4 years ago
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
Resolution: --- → INVALID
Summary: Endpoint Disclosing email address and lots of other info → bugzilla user profile page discloses email address and lots of other info
Group: websites-security
Group: mozilla-employee-confidential
Group: mozilla-employee-confidential

Hello team! Although the bug was not accepted and marked as "intended behavior", from what I see it received a silent fix. However, your fix doesn't fully eliminate the bug. I will not try to report the issue since it'll also be marked as "Informative".

Hello,

I don't believe any changes happened due to this report. Why do you think there was a silent fix for the issue?

As mentioned in comment 1 as well as on Bugzilla when you create an account, https://bugzilla.mozilla.org/createaccount.cgi:

Bugzilla is a public place. Your comments and other activities on bugs will generally be publicly visible, and your email address will be accessible through public APIs and will be visible to all logged-in users of Bugzilla.

Thanks,
Frida

Blocks: 1830029
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: