1728144 - Password Reset Token Leakage

Status: RESOLVED DUPLICATE of bug 1679767

(Firefox :: Firefox Accounts, defect)

Description

[Raghuram G]

Attachment: TOKENS.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Steps to reproduce:

Step 1 : Go To - https://accounts.firefox.com/reset_password
Step 2 : Enter Registered Gmail
Step 3 : Click Begin Reset Button
Step 4 : Capture the Request
Step 5 : See Response For That You Get the Password Token

Actual results:

Password Token is Being Leaked in Response itself

Something Looks Like , it's a Critical Bug

Response Received in My Burpsuite :

{"passwordForgotToken":"f0177f67bb0de0bd87076877cde2ea7be41af6fb6b75e5d36612afeecae58f5f","ttl":86400,"codeLength":32,"tries":3}

The Above is Received in My Response , Screen Shots Attached POC

Expected results:

Show Only "Success" or "Check Email" Message While Requesting Password Reset Option .

But here it's showing the token

I've Attached TOKENS.zip file , which consists of Five Screenshots.

Take a Look For More Clarity

Thanks & Regards
Raghuram G
Bug Bounty Hunter
raghuram.4.5.0.2@gmail.com

Comment 1

[Daniel Veditz [:dveditz]]

Attachment: token1.png (1 of 5 in .zip)

Attaching one of the images. The others are basically the same with different tokens (and the rest don't show the Host: header being messed with).

Comment 2

[Daniel Veditz [:dveditz]]

Moving component so the right people see it, but my guess would be we save this token in your browser and try to match it when you click on the link in your mail. That way if you maliciously try to reset the account of someone else, and they (foolishly) click the link out of curiosity, the reset token in the link won't match a saved token and we won't actually reset their password and destroy their saved data. But that's just my guess.

Comment 3

[Raghuram G]

I've Checked that also , the token in response is same as the mail received.

I've checked token in response with the mail mail I've received, both are same .

What I'm trying to say is , Show Only "Success" or "Check Email" Message While Requesting Password Reset Option .

But here it's showing the token

Kindly consider

Comment 4

[Daniel Veditz [:dveditz]]

Ah, I see. You're saying if it is malicious, you think the attacker has what they need to create a reset-confirmation link, click on it, and take over the account (or even just destroy their sync'd data) even if they don't control the email account. Did you try it? Were you able to make it work?

In addition to the token, a uid and code are also sent as part of the emailed reset link and all three pieces of information must match.

Comment 5

[Mark Hammond [:markh] [:mhammond]]

(In reply to Daniel Veditz [:dveditz] from comment #2)

Moving component so the right people see it, but my guess would be we save this token in your browser

The browser doesn't explicitly do this - I believe what happens is that the web content on FxA does this dance without any custom help from the browser. That said though, I also don't understand why that token is in that response and not only in the link delivered by email. I'm redirecting the needinfo to Danny who's the owner of FxA.

Comment 6

[Raghuram G]

What to do now , the only prob is why the token is exposing in response itself.

Comment 7

[Danny Coates [:dcoates]]

The token is not considered sensitive data. The code is the secret used to authenticate the password reset. The token is returned by the server so that in case the email isn't delivered in a timely manner the user can click a link to resend another email with the same data via /password/forgot/resend_code. This way whichever email they click the link on first will work correctly, since we only allow one of these tokens to exist at a time per user. It isn't strictly necessary but it improves one UX edge case.

I believe this is a duplicate, but I can't find the previous issue at the moment.

Comment 8

[Raghuram G]

What's Next Sir , This is Valid one or not.