Closed Bug 1773931 Opened 3 years ago Closed 3 years ago

Users can view limited information about secure Phabricator revisions due to publicly joinable group mozilla-phabricator-emails

Categories

(Conduit :: Phabricator, task)

Product:
Conduit
Component:
Phabricator
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dylanfarrar.1, Unassigned)

References

(
URL
)

Details

(4 keywords, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

mozilla-phabricator-emails is joinable and editable by any user.
The description says:
"Allows access to the custom Mozilla email endpoints. Users who are part of this group will be able to see users' email addresses via the email endpoints."

Specifically the group seems to grant access to the Phabricator API "feed.for_email.query" and "feed.for_email.status". The API "feed.for_email.query" bypasses object view policy. However if the Differential revision has the "secure-revision" tag, then certain information is omitted. Specifically, only information from events that implement SecureEmailBody (see https://github.com/mozilla-conduit/phabricator/tree/master/moz-extensions/src/email/model), generally this looks like information such as, subscribers, reviewers, author, event actor, events themselves, pings and ping recipients, Bugzilla bug ID, however information such as revision title or comment body is removed from secure revisions.

Additionally, you could also remove user email-bot as a member, which would break Mozilla's custom Phabricator emails.

Flags: sec-bounty?

I mitigated this by changing the project policy: https://phabricator.services.mozilla.com/project/manage/151/#12846.

Group: websites-security → conduit-security
Component: Other → Phabricator
Product: Websites → Conduit

Hello Dylan,

Thank you for your report.

Can you please provide us with detailed steps to reproduce the issue?

Thanks,
Frida

Hello David, Hope you are well.

Can you please take a look?

Thanks,
Frida

Flags: needinfo?(dkl)
Status: UNCONFIRMED → NEW
Ever confirmed: true

Hello Dylan,

I read your report again and I think I now understand what's going, so no need to send us the steps to reproduce.

You were able to join the group https://phabricator.services.mozilla.com/tag/mozilla-phabricator-emails/. Based on the group description, the group:

Allows access to the custom Mozilla email endpoints.
Users who are part of this group will be able to see users' email addresses via the email endpoints.

This allowed access to information related to secure revisions.

The team have locked access to the group and will be auditing other groups to check for similar misconfiguration.

Thanks,
Frida

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Keywords: sec-highsec-moderate

Thank you for reporting (and fixing!) this issue! We are awarding a bug bounty for this issue.

I'm lowering the severity because the information about secure bugs is fairly minimal -- we've stripped sensitive information because we didn't trust plaintext mail in the first place. The existence of secure bugs can be detected already through queries, so the additional information this leaks are the folks involved in a bug. That's not nothing, but mostly points at what part of the code is likely involved.

The other impact is a DOS of the system as you've described, but we don't just rely on email notification and this would almost certainly be detected and fixed fairly quickly. But it would be damn annoying and it's an important part of our work flow.

Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderatesec-low, wsec-disclosure
Group: conduit-security
Flags: needinfo?(dkl)
You need to log in before you can comment on or make changes to this bug.