Closed Bug 1674626 Opened 4 years ago Closed 4 years ago

wiki.m.o Article Takeover

Categories

(Websites :: wiki.mozilla.org, defect)

Product:
Websites
Component:
wiki.mozilla.org
Platform:
All
Unspecified
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: barnard, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form])

Attachments

(1 file)

Mozilla-POC3.png
789.64 KB, image/png
Details
Attached image Mozilla-POC3.png

Hello Mozill security Team.

I submitted this same bug on https://webcompat.com/issues/60865 and https://github.com/webcompat/web-bugs/issues/60865
But i considered to also submit on mozilla official site. so here's the bug goes.

During my bug hunting on mozilla.org site.
I found wiki.mozilla.org. This site doesn't allow anonymous users to get admin level access to edit pages. Only the invited or rquested account which has got permission can create account and edit the pages.

I tried to request an account of myself since it doesn't have registration page. I found that my registration request has been purged because of anonymous user requesting for an account.

So i tried to login to the site using default credentials.
Suddenly, I was able to access the higher privilege level that allowed me to edit the webpages, add images etc.

Impact of this issue.

This is a critical issue for Mozilla foundation.
i). An attacker might would have defaced the website.
ii). Any body can edit the webpages and addd explicit, pornographic content, use this website for phishing website leading to massive account takeover.
iii) Delivery of malware,virus, infected mozilla products etc
iv). And An attacker may have ruined the reputation of mozilla foundation.

I hope Security team to have great concern towards this issue.

For the confirmation.
i have edited the webpage https://wiki.mozilla.org/Releases
and added phishing-site.com instead of original site added by admin.

And i have also added an image depicting defaced website.

Three POC have been submitted in order to confirm the BUG.

If you want i will securely deliver the credentials i used to deface the site.

For contact: I am adding my hackerone profile URL
hackerone: https://hackerone.com/aaryan9898?type=user
My original-email : Mahtoshivnath07gmail.com
email-used-while-submitting-bug: Mahtoshivnath702@gmail.com
twitter: https://twitter.com/Aaryan076?s=01
For more information related to bug.
Contact me on above mentioned addresses.

Thank you.
I hope mozilla security team would look into this issue as soon as possible.

Flags: sec-bounty?
Severity: -- → S1
Type: task → defect
Points: --- → 8
Priority: -- → P1
Hardware: Unspecified → All
Version: unspecified → Firefox 84

Thank you for the report.

(In reply to Aaryan9898 from comment #0)

I submitted this same bug on https://webcompat.com/issues/60865 and https://github.com/webcompat/web-bugs/issues/60865

I do not understand why; it's not a web compatibility issue. Please do not post future issues with Mozilla infrastructure there (be they security-related or otherwise).

It looks like vigilant other volunteer mozillians already reverted your edits, see https://wiki.mozilla.org/index.php?title=Releases&action=history .

Looking at https://wiki.mozilla.org/Special:Contributions/Username , it would appear that prior to you finding this account, it was created in 2006 and made 1 change, and was dormant ever since.

If you want i will securely deliver the credentials i used to deface the site.

It's a wiki, all changes are tracked so the username was obvious. The password was not hard to guess (hint: it had 8 letters).

I've changed the password on the account to not be quite so obvious.

This is a critical issue for Mozilla foundation.

I'm pretty sure everyone understands that wikis are, well, wikis, even if new account creation is monitored to combat spam. I'm going to pass this to Mike who, I think, owns wikimo at this point, but I don't expect anything else to happen before Monday.

(In future, please do not alter the points/severity/priority values in the tracker.)

Group: firefox-core-security → websites-security
Severity: S1 → --
Points: 8 → ---
Component: Security → wiki.mozilla.org
Flags: needinfo?(mhoye)
Priority: P1 → --
Product: Firefox → Websites
Version: Firefox 84 → unspecified

Removing security flags to make this bug more visible, also given there's a duplicate bug filed through webcompat.com

The wiki is not eligible for a bounty as per https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/ - furthermore, the wiki is open for "almost everyone" to edit. We restrict sign-ups, but not too much. The restriction is mostly a spam protection and we do not consider it a security barrier.

Mike, I suggest we close this issue.

Group: websites-security
Flags: sec-bounty? → sec-bounty-
Summary: Website-Takeover → wiki.m.o Article Takeover
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]

The insecure (easily guessed password) account has now been blocked on WMO.

Other people have kindly reverted defacement and set password to less obvious version.

Note that the compromised account had only ordinary "Author" style privileges, and was able to only edit the content of an existing (monitored) article.

Thank you to OP for finding and recording this though.

Spike
(WMO "module owner")

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mhoye)
Resolution: --- → FIXED

Hello Team
Yeah, I can confirm that the issue has been resolved.
But I still consider it as a weakness on mozila website.
If it would have been exploited by any wrong person
Distribution of malicious packages, Phishing etc might would have occured.

I want the team to look into this accent also.
Meanwhile minimum bounty has to be awarded for this kind of bug.

Thank you.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: