Internal S3 bucket Takeover - mozilla-nightly-updates
Categories
(Release Engineering :: Release Automation: Updates, defect)
Tracking
(firefox81 fixed)
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: shivang0942, Assigned: sfraser)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
Hello team ,
WHile doing recon on moozilla i came across a github repo as it is updated 29 days ago so i believe this is an active project
https://github.com/mozilla/gecko-dev/blob/0aa82daf1e60bbd7ac7b7ae4d816a9b300081b5a/taskcluster/docker/funsize-update-generator/scripts/funsize.py
In this on line 36 we can see that https://mozilla-nightly-updates.s3.amazonaws.com belongs to you but actually when i visited the bucket i got 404 no such bucket exists and so i tookover the bucket so no-one else with malicious intent can take-over the bucket .
https://mozilla-nightly-updates.s3.amazonaws.com/index.html
THis can cause xss and other vulnerabilities to your user and can be hosed as aphising site as you have mentioned that this bucket belongs to you and now anyone would fall for a high-end attack .
This is a severe vulnerability to mention a s3 bucket that you don't own into env.defaults .
Hope you fix this soon
Actual results:
It showed no such buket
Expected results:
it should have shown denied when tried to access the bucket
Reporter | ||
Comment 1•4 years ago
|
||
Just to give you a reference to severity of similar report
Reference:- https://hackerone.com/reports/329689
Reporter | ||
Comment 2•4 years ago
|
||
You can check the reference report i attached from hackerone , it has been a similar vulnerability rewarded even i have recieved few bounties from this type of vulnerability
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Good catch, thank you for finding this! We were tracking these bucket removals but must have missed this one. Patch incoming.
Assignee | ||
Comment 4•4 years ago
|
||
Updated•4 years ago
|
Reporter | ||
Comment 5•4 years ago
|
||
Thanks for fast reply .
Can you check other reports too 1657411 1657413
Assignee | ||
Comment 6•4 years ago
|
||
(In reply to Shivang Trivedi from comment #5)
Thanks for fast reply .
Can you check other reports too 1657411 1657413
The other two aren't managed by release engineering, so we don't have the right access or background knowledge. I see Tom's trying to find the right code owners for those.
Reporter | ||
Comment 7•4 years ago
|
||
ok great . thanks for the response .
Reporter | ||
Comment 8•4 years ago
|
||
Hey team ,
Just wanted to ask till when can i expect the reward .
As i need to pay up my college fees soon .
Would be glad to get as soon as possible .
Hoping for a positive reply soon .
Thank you
Comment 9•4 years ago
|
||
I'm pretty sure this is exactly the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1614069. Adding ulfr, because he was involved from the security side in that bug.
Updated•4 years ago
|
Reporter | ||
Comment 11•4 years ago
|
||
Hey man , as it;s marked as duplicate now so still would i be getting share in the original reports or no bounty for me on #1657409 .
Updated•4 years ago
|
Comment 12•4 years ago
|
||
Unfortunately, only the first person to report a bug is eligible for a bug bounty.
Comment 13•4 years ago
|
||
Reporter | ||
Comment 14•4 years ago
|
||
anything on Hof ?
Comment 15•4 years ago
|
||
There was no vulnerability here. It was an obsolete mention of a hostname we don't use.
Updated•4 years ago
|
Description
•