Closed Bug 1738320 Opened 3 years ago Closed 3 years ago

Github Account Takeover of "mozilla-release-automation-bot" from "github.com/mozilla-mobile/fenix"

Categories

(Firefox for Android :: General, defect)

Product:
Firefox for Android
Component:
General
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: arshadkazmi42, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form])

Attachments

(1 file)

Screenshot from 2021-10-28 23-10-32.png
194.83 KB, image/png
Details

Summary

One of the repository of mozilla https://github.com/mozilla-mobile/fenix have a Sprint template. In that template one part is to give access to mozilla release bot github acccount. That github account was not registered on github.com
So I was able to takeover the account and host PoC

Steps

  1. Go to https://github.com/mozilla-mobile/fenix/blob/main/.github/ISSUE_TEMPLATE/release_checklist.md#sprint-x1-end-wednesday-2nd-week-cutting-a-beta
  2. Search for Grant mozilla-release-automation-bot write access to this branch.
  3. Click on mozilla-release-automation-bot
  4. You will be taken to this repositoy https://github.com/mozilla-release-automation-bot where you will see the takeover message

PoC

Impact

An attacker can takeover the account and when someone uses the template for sprint from the repository, they will end up giving access to attacker which can lead to malicious codes getting uploaded in mozilla repositories

Flags: sec-bounty?

Hi Arshad, thanks for the report.

I can confirm to two links to https://github.com/mozilla-release-automation-bot and your takeover of that account at:

:st3fan can someone on your team unlink or update the links to https://github.com/mozilla-release-automation-bot mentioned about in the Fenix repo release checklist?

Type: task → defect
Flags: needinfo?(sarentz)
Keywords: wsec-takeover
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Group: websites-security → mobile-core-security
Component: Other → Security: Android
Product: Websites → Fenix

I expect Amedyne and Aki are better suited to look at this than Stefan.

Flags: needinfo?(amoya)
Flags: needinfo?(aki)

I approved those edits.

Flags: needinfo?(sarentz)
Flags: needinfo?(amoya)

Hi,

I have verified the fix. This has been fixed.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release

Calling this sec-moderate because it's a low-chance but high impact issue. The current team members already know the procedure or would ask the people who know, but it's not impossible some new PM in the future could have gotten this wrong on their first attempt giving an eventual payoff.

Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate

Thank you for the awesome bounty.

Let me know if mozilla wants to takeover this organization? So I can transfer it.

Otherwise I will just release the organization

Group: core-security-release
Component: Security: Android → General
OS: All → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: