Missing session checks at 2FA leading to improper session management in BMO (bugzilla.mozilla.org)
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
People
(Reporter: sinha.aryan11, Assigned: dkl)
References
()
Details
(Keywords: sec-low, wsec-authentication, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
799 bytes,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
Summary:
Even after resetting the password remotely, the user already presented with the 2FA page is allowed to log in with the old password of the BMO account.
Impact:
Improper session management
Repro Steps:
Setup: 2FA enabled BMO account
-
Go to bugzilla.mozilla.org and enter the credentials. You will be presented with 2FA page which will ask you to enter the 2FA code. Do not enter the code at this moment.
-
From another browser/device, go to bugzilla.mozilla.org and initiate the reset password process for the BMO account, and reset the password successfully for the given BMO account.
-
Come to the previous browser/device where you were presented with the 2FA page and enter the valid 2FA code. You will be successfully logged in.
Any session created with an older password should get terminated right after the password reset.
Marking as sec-low as this requires existing credentials.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Comment on attachment 9232692 [details] [diff] [review] 1721714_1.patch Review of attachment 9232692 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Assignee | ||
Comment 5•3 years ago
|
||
This change is now live.
Reporter | ||
Comment 6•3 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #5)
This change is now live.
Hi David,
I re-tested the same and can confirm that the vulnerability has been fixed.
As I have never been rewarded with bounty by Mozilla, I am unsure about the process. Is this report eligible for the bounty, as I believe so? If yes, how much time does it usually takes to reward a bounty?
Thanks, in advance! Much appreciate a quick fix.
Assignee | ||
Comment 7•3 years ago
|
||
(In reply to Aryan Sinha from comment #6)
I re-tested the same and can confirm that the vulnerability has been fixed.
Good
As I have never been rewarded with bounty by Mozilla, I am unsure about the process. Is this report eligible for the bounty, as I believe so? If yes, how much time does it usually takes to reward a bounty?
I am not involved with that process so I will needinfo someone who might be able to help.
Comment 8•3 years ago
|
||
It looks like you filed this bug using the bounty form, so it has all the metadata needed to make it into the bounty committee's queue. The bug is not marked "fixed" yet, though. Dave: does comment 5 mean this should be resolved FIXED, or is there something else we're waiting on?
Assignee | ||
Comment 9•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
It looks like you filed this bug using the bounty form, so it has all the metadata needed to make it into the bounty committee's queue. The bug is not marked "fixed" yet, though. Dave: does comment 5 mean this should be resolved FIXED, or is there something else we're waiting on?
It is fixed and deployed. Wasn't sure about closing this bug though as the security bounty decision was still ongoing. Feel free to close.
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment 12•3 years ago
|
||
Thank you for reporting this. We don't believe this would be a realistic attack scenario, but we appreciate the opportunity to fix this race condition.
Updated•3 years ago
|
Updated•2 years ago
|
Description
•