Closed Bug 1721714 Opened 2 months ago Closed 2 months ago

Missing session checks at 2FA leading to improper session management in BMO (bugzilla.mozilla.org)

Categories

(bugzilla.mozilla.org :: General, defect)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: sinha.aryan11, Assigned: dkl)

References

()

Details

(Keywords: sec-low, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Summary:

Even after resetting the password remotely, the user already presented with the 2FA page is allowed to log in with the old password of the BMO account.

Impact:

Improper session management

Repro Steps:

Setup: 2FA enabled BMO account

  1. Go to bugzilla.mozilla.org and enter the credentials. You will be presented with 2FA page which will ask you to enter the 2FA code. Do not enter the code at this moment.

  2. From another browser/device, go to bugzilla.mozilla.org and initiate the reset password process for the BMO account, and reset the password successfully for the given BMO account.

  3. Come to the previous browser/device where you were presented with the 2FA page and enter the valid 2FA code. You will be successfully logged in.

Any session created with an older password should get terminated right after the password reset.

Flags: sec-bounty?
Group: websites-security → bugzilla-security
Type: task → defect
Component: Other → General
Product: Websites → bugzilla.mozilla.org

Marking as sec-low as this requires existing credentials.

Keywords: sec-low
Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch 1721714_1.patchSplinter Review
Attachment #9232692 - Flags: review?(glob)
Comment on attachment 9232692 [details] [diff] [review]
1721714_1.patch

Review of attachment 9232692 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #9232692 - Flags: review?(glob) → review+

Merged to master. Will be live today.

Group: bugzilla-security

This change is now live.

(In reply to David Lawrence [:dkl] from comment #5)

This change is now live.

Hi David,

I re-tested the same and can confirm that the vulnerability has been fixed.

As I have never been rewarded with bounty by Mozilla, I am unsure about the process. Is this report eligible for the bounty, as I believe so? If yes, how much time does it usually takes to reward a bounty?

Thanks, in advance! Much appreciate a quick fix.

Flags: needinfo?(dkl)

(In reply to Aryan Sinha from comment #6)

I re-tested the same and can confirm that the vulnerability has been fixed.

Good

As I have never been rewarded with bounty by Mozilla, I am unsure about the process. Is this report eligible for the bounty, as I believe so? If yes, how much time does it usually takes to reward a bounty?

I am not involved with that process so I will needinfo someone who might be able to help.

Flags: needinfo?(dkl) → needinfo?(dveditz)

It looks like you filed this bug using the bounty form, so it has all the metadata needed to make it into the bounty committee's queue. The bug is not marked "fixed" yet, though. Dave: does comment 5 mean this should be resolved FIXED, or is there something else we're waiting on?

Flags: needinfo?(dveditz) → needinfo?(dkl)

(In reply to Daniel Veditz [:dveditz] from comment #8)

It looks like you filed this bug using the bounty form, so it has all the metadata needed to make it into the bounty committee's queue. The bug is not marked "fixed" yet, though. Dave: does comment 5 mean this should be resolved FIXED, or is there something else we're waiting on?

It is fixed and deployed. Wasn't sure about closing this bug though as the security bounty decision was still ongoing. Feel free to close.

Flags: needinfo?(dkl)
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED

Thank you for reporting this. We don't believe this would be a realistic attack scenario, but we appreciate the opportunity to fix this race condition.

Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.