Closed Bug 1674752 Opened 1 year ago Closed 2 months ago

Rate limit new account creation, password change, etc. emails

Categories

(bugzilla.mozilla.org :: Email Notifications, defect, P3)

Tracking

()

RESOLVED FIXED

People

(Reporter: ranjitkolhal5757, Assigned: dkl)

Details

(Keywords: sec-low)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Firefox for Android

Steps to reproduce:

  1. Create a new account for bugzilla
  2. Enter your email
  3. Press enter and capture this request [burp_suite]
  4. send to intruder
    5.Add [+11.....] before the @
    For example : example@gmail.com >>> example+1111@gmail.com
    Encoded : example%40gmail.com >>>> example%2B1111%40gmail.com
    7.Add null payloads [100+]
  5. Start attack

Actual results:

attacker able to send verification / account creation request's bulk mail

Expected results:

  1. Spamming on other user
  2. Herm Firefox Reputation [I think ]
  3. Increase mail charges
Attached image mail POC
Group: firefox-core-security → bugzilla-security
Component: Untriaged → User Interface
Product: Firefox → bugzilla.mozilla.org
Version: Firefox 82 → unspecified

Hello security team : )

Any update here ?

Thanks for your report.

It's true that Bugzilla is missing rate limiting on these emails. I'm rating this as sec-low as the impact is minimal, and we have generic request rate limiting in place that should catch significant abusers.

Component: User Interface → Email Notifications
Keywords: sec-low
Priority: -- → P3

Thanks for response
Now report is OPEN When report go on final stage ?
This is my first submission on BugZilla so i don't know process can you help me to understand : )

(In reply to Ranjit from comment #4)

Thanks for response
Now report is OPEN When report go on final stage ?
This is my first submission on BugZilla so i don't know process can you help me to understand : )

Right now this bug hasn't been scheduled to be worked on; you'll see activity on the bug when that happens.
Given the low severity I wouldn't expect this issue to be resolved soon.

okay : )

Thank's

this bug is able to get some bounty by Mozilla ?

Flags: sec-bounty?

thank you : _)

hello security team : )
any update here ?

(In reply to Ranjit from comment #9)

hello security team : )
any update here ?

If there are updates they will appear on the bug. Please do not comment every week asking for updates, it just creates spam for everyone.

This bug does not qualify for our bug bounty

Flags: sec-bounty? → sec-bounty-

We can add code to send pings to iprepd when these events occur (instead of just errors) to mitigate this type of activities.

Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: No rate limit on account verification mail → Rate limit new account creation, password change, etc. emails
Attached file GitHub Pull Request

Merged to master and will be in next weeks deployment.
https://github.com/mozilla-bteam/bmo/commit/d23d4d991d2cbe2205998a7dfd5281af40a31365

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED

Any bounty’s?

(In reply to Daniel Veditz [:dveditz] from comment #11)

This bug does not qualify for our bug bounty

Unfortunately it was already deteremined in comment 11.

Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.