email verification bypass on Firefox Accounts
Categories
(Cloud Services :: Server: Firefox Accounts, defect, P1)
Tracking
(Not tracked)
People
(Reporter: tamilrockerstamilrockers99, Unassigned, NeedInfo)
Details
Attachments
(1 file)
1.96 MB,
video/mp4
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Firefox for Android
Steps to reproduce:
1.open mozilla firefox website
2.enter sign up to create an account
3.it will redirect you to password page, enter the password
4.OTP will ask you to create an account for yourself
5.enter some code , 0000
6.this response " invalid or expired verifycation code "
7. action , intercept , the request and change the response
8.given below : POC
REQUEST
POST /v1/session/verify_code HTTP/1.1
Host: api.accounts.firefox.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://accounts.firefox.com/
authorization: Hawk id="1a26a6338e4399116d246c03fd18170df11214e1906ac8b5d444bcc9c475fcb7", ts="1625102447", nonce="v0iRDt", hash="oOGCc2iv1FhbDBkLu8ily9M1F5DSwWzoy2V/J1F/AcE=", mac="IjcqfKFmQTTsFDCOA3+EJ2fXvg6EclRpHTUVLAJyWQI="
content-type: application/json
Origin: https://accounts.firefox.com
Content-Length: 34
Connection: close
{"code":"000000","service":"sync"}
ORIGINAL RESPONSE
1.*400 BAD REQUEST
*********(something)
**********(something)
**********(something)
RESPONSE OF BODY
15.Content-Length: 198
17.
.{
"code":400
"**********(something) "
**********(something),
**********(something)
}
to bypass the verification
1.200 OK
15.Content-length: 2
RESPONSE OF BODY
{
}
IMPACT :
Attacker can success in the account takeover of any user without any privileges, using only email
Actual results:
This allow attackers to create the account without having the access to the email address
what is the current bug behavior?
Able to signup with any email
verification was bypassed
Expected results:
it should
because of :
There is no require access tokens
Updated•3 years ago
|
Where can i read your bug report state details . Could you please say that.
Thankyou
Hi Tamil, thanks for the report.
Please do not modify the bug fields. They're for internal use.
The Firefox Accounts UI is a single page web app that will display an "account connected" message for a valid OTP verification code response. At the end of your video, the menu still asks you to "finish account set up."
Are you able to get a valid Firefox account session without intercepting the /v1/session/verify_code response?
I do not have any other account in my browser other than this.
I do not know if it is possible for you to create an account without interrupting it only if you interrupt and change its response( topu can create an account by intercepting request ).
Comment 5•3 years ago
|
||
Thanks for the report.
It doesn't sound like you're creating a verified account here. Anyone can create an account (and FxA will email them for verification). If the account is never verified you can't do much with it and may get removed at some point.
I don't see what has been reported above as a security flaw so I'm going to close this. Please let me know if I'm misunderstanding something.
Thanks.
Updated•2 years ago
|
Description
•