Closed Bug 1718816 Opened 3 years ago Closed 3 years ago

email verification bypass on Firefox Accounts

Categories

(Cloud Services :: Server: Firefox Accounts, defect, P1)

Firefox 89
defect
Points:
13

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: tamilrockerstamilrockers99, Unassigned, NeedInfo)

Details

Attachments

(1 file)

Attached video firefox.mp4

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Firefox for Android

Steps to reproduce:

1.open mozilla firefox website
2.enter sign up to create an account
3.it will redirect you to password page, enter the password
4.OTP will ask you to create an account for yourself
5.enter some code , 0000
6.this response " invalid or expired verifycation code "
7. action , intercept , the request and change the response
8.given below : POC

REQUEST

POST /v1/session/verify_code HTTP/1.1
Host: api.accounts.firefox.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://accounts.firefox.com/
authorization: Hawk id="1a26a6338e4399116d246c03fd18170df11214e1906ac8b5d444bcc9c475fcb7", ts="1625102447", nonce="v0iRDt", hash="oOGCc2iv1FhbDBkLu8ily9M1F5DSwWzoy2V/J1F/AcE=", mac="IjcqfKFmQTTsFDCOA3+EJ2fXvg6EclRpHTUVLAJyWQI="
content-type: application/json
Origin: https://accounts.firefox.com
Content-Length: 34
Connection: close

{"code":"000000","service":"sync"}

ORIGINAL RESPONSE

1.*400 BAD REQUEST
*********(something)
**********(something)
**********(something)

RESPONSE OF BODY

15.Content-Length: 198
17.
.{
"code":400
"**********(something) "
**********(something),
**********(something)
}

to bypass the verification

1.200 OK
15.Content-length: 2

RESPONSE OF BODY

{
}

IMPACT :

Attacker can success in the account takeover of any user without any privileges, using only email

Actual results:

This allow attackers to create the account without having the access to the email address

what is the current bug behavior?
Able to signup with any email

verification was bypassed

Expected results:

it should

because of :
There is no require access tokens

Group: firefox-core-security → cloud-services-security
Component: Untriaged → Server: Firefox Accounts
Product: Firefox → Cloud Services
Summary: email verification bypass → email verification bypass on Firefox Accounts

Where can i read your bug report state details . Could you please say that.

Thankyou

Severity: -- → S1
Points: --- → 13
Priority: -- → P1

Hi Tamil, thanks for the report.

Please do not modify the bug fields. They're for internal use.

The Firefox Accounts UI is a single page web app that will display an "account connected" message for a valid OTP verification code response. At the end of your video, the menu still asks you to "finish account set up."

Are you able to get a valid Firefox account session without intercepting the /v1/session/verify_code response?

Flags: needinfo?(tamilrockerstamilrockers99)

I do not have any other account in my browser other than this.

I do not know if it is possible for you to create an account without interrupting it only if you interrupt and change its response( topu can create an account by intercepting request ).

Flags: needinfo?(tamilrockerstamilrockers99)

Any updates ?

Flags: needinfo?(tamilrockerstamilrockers99)

Thanks for the report.

It doesn't sound like you're creating a verified account here. Anyone can create an account (and FxA will email them for verification). If the account is never verified you can't do much with it and may get removed at some point.

I don't see what has been reported above as a security flaw so I'm going to close this. Please let me know if I'm misunderstanding something.

Thanks.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Group: cloud-services-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: