Closed Bug 1657409 Opened 4 years ago Closed 4 years ago

Internal S3 bucket Takeover - mozilla-nightly-updates

Categories

(Release Engineering :: Release Automation: Updates, defect)

Product:
Release Engineering
Component:
Release Automation: Updates
Type:
defect

Tracking

(firefox81 fixed)

Status:
RESOLVED DUPLICATE of bug 1614069
Tracking Flags:
Tracking Status
firefox81 --- fixed

People

(Reporter: shivang0942, Assigned: sfraser)

Details

Attachments

(1 file)

Bug 1657409 Remove obsolete S3 bucket
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Hello team ,
WHile doing recon on moozilla i came across a github repo as it is updated 29 days ago so i believe this is an active project
https://github.com/mozilla/gecko-dev/blob/0aa82daf1e60bbd7ac7b7ae4d816a9b300081b5a/taskcluster/docker/funsize-update-generator/scripts/funsize.py

In this on line 36 we can see that https://mozilla-nightly-updates.s3.amazonaws.com belongs to you but actually when i visited the bucket i got 404 no such bucket exists and so i tookover the bucket so no-one else with malicious intent can take-over the bucket .

https://mozilla-nightly-updates.s3.amazonaws.com/index.html

THis can cause xss and other vulnerabilities to your user and can be hosed as aphising site as you have mentioned that this bucket belongs to you and now anyone would fall for a high-end attack .

This is a severe vulnerability to mention a s3 bucket that you don't own into env.defaults .

Hope you fix this soon

Actual results:

It showed no such buket

Expected results:

it should have shown denied when tried to access the bucket

Just to give you a reference to severity of similar report
Reference:- https://hackerone.com/reports/329689

You can check the reference report i attached from hackerone , it has been a similar vulnerability rewarded even i have recieved few bounties from this type of vulnerability

Component: General → Release Automation: Updates
Flags: needinfo?(sfraser)
QA Contact: catlee → mtabara
Summary: Internal S3 bucket Takeover → Internal S3 bucket Takeover - mozilla-nightly-updates

Good catch, thank you for finding this! We were tracking these bucket removals but must have missed this one. Patch incoming.

Flags: needinfo?(sfraser)
Assignee: nobody → sfraser

Thanks for fast reply .
Can you check other reports too 1657411 1657413

(In reply to Shivang Trivedi from comment #5)

Thanks for fast reply .
Can you check other reports too 1657411 1657413

The other two aren't managed by release engineering, so we don't have the right access or background knowledge. I see Tom's trying to find the right code owners for those.

ok great . thanks for the response .

Hey team ,
Just wanted to ask till when can i expect the reward .
As i need to pay up my college fees soon .
Would be glad to get as soon as possible .
Hoping for a positive reply soon .

Thank you

I'm pretty sure this is exactly the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1614069. Adding ulfr, because he was involved from the security side in that bug.

Flags: needinfo?(jvehent)
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jvehent)
Resolution: --- → DUPLICATE

Hey man , as it;s marked as duplicate now so still would i be getting share in the original reports or no bounty for me on #1657409 .

Flags: sec-bounty?

Unfortunately, only the first person to report a bug is eligible for a bug bounty.

Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-

anything on Hof ?

There was no vulnerability here. It was an obsolete mention of a hostname we don't use.

Group: releng-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: