CAN ADD SECONDARY EMAIL AND ALSO REGISTER USING @firefox.com MAIN DOMAIN
Categories
(Cloud Services :: Server: Firefox Accounts, task)
Tracking
(Not tracked)
People
(Reporter: efraimsion26, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
[ SUMMARY ]
-
SUMMARY WHEN ADD SECONDARY EMAIL WITH MAIN DOMAIN, @firefox.com -
I got this bug after I tried to add a second email address to my Firefox account. I'm idly trying to add an email with the firefox.com domain. Example: testing123@firefox.com. And to bypass the code verification step, I use a bypass trick like in my previous report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1777807 with the title "Bypass Verification OTP After Register Account at accounts.firefox.com."
I also managed to add the email testing123@firefox.com, even though the email has not been verified (unverified), and I didn't find a loophole so that it can be used as the main email for logging in. -
SUMMARY REGISTER USING EMAIL WITH MAIN DOMAIN @firefox.com -
I found this vulnerability again out of curiosity after I found a bug in the "Add" secondary email feature. When I try to register using testing123@firefox.com, it will fail with a red notice "Enter a valid e-mail address. firefox.com does not e-mail offers." Then I tried to bypass it by using a combination of upper and lower case on the domain. For example, testing123@FiRefoX.cOm. And I didn't think the red notice didn't appear, and I immediately got to fill in the password and age in the sense that it was successfully bypassed.
[ STEP TO REPRODUCE ADD SECONDARY EMAIL WITH MAIN DOMAIN, @firefox.com ]
- Go to https://accounts.firefox.com/settings
- On the setting page, Click "Add" secondary email.
- Fill in the email with the firefox.com domain. Example testing123@firefox.com.
- After entering the code verification stage, bypass the code verification with the trick in my other report https://bugzilla.mozilla.org/show_bug.cgi?id=1777807 .
- Email will success added even though the email has not been verified (unverified) .
[ STEP TO REPRODUCE REGISTER USING EMAIL WITH MAIN DOMAIN @firefox.com ]
- Go to https://accounts.firefox.com/signin
- Fill the form with {anytingusername}@FiRefoX.cOm
Note: As in the video, after filling in the password and age form then clicking "Create Account," will enter the code verification stage, but suddenly within a few seconds, like immediately exiting back to the start page when you want to enter an email and a red notice appears "Your verification email was just returned. Mistyped email?"
[ IMPACT ]
Actually, I have not found a definite impact that really harms other users. But in my opinion, this bug still needs to be fixed because the implementation is still lacking to say that this website is "SAFE". Imagine if a Hacker someday could actually find a way to successfully create an account with a primary email using the @firefox.com domain. Of course, this is not good for business and has the potential for more dangerous actions in the future. Registering by email using the main domain of the website is quite dangerous, which in some cases, can get to gain access to internal systems or even cause a privilege escalation on the system.
Btw sir, link-video.txt, it is file contain link of video POC.
Hallo Mozilla Team.
Any update for my report?
Thanks
Your Sincerely,
Mikhael
|
||
Comment 3•3 years ago
|
||
This is probably not a security bug, but it is indeed odd that mixed-casing gets around the EmailValidation routine for firefox.com. I would have thought we checked for DNS MX records -- the page certainly behaves differently when I put in fake domains. Ah, but firefox.com does have an MX record because of Firefox Relay. It must be special-cased in there somewhere.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
regexp strikes again:
https://github.com/mozilla/fxa/blob/421b43536da5de57677cb3241fbc42bff170e214/packages/fxa-content-server/app/scripts/views/index.js#L176-L180
Need to change
return /@firefox(\.com)?$/.test(email);
to
return (/@firefox(\.com)?$/i).test(email);
... or go more verbose for readability (the trailing 'i' tucked under the slash is easily missed)
let firefoxMail = new RegExp("@firefox(\.com)?$", 'i');
return firefoxMail.test(email);
Why would we want to match "foo@firefox" ? Is there some mail program out there that will supply ".com"?
I have a suggestion on how to only allow lowercase letters when registering email like Google
When i register on Google using abcde@GoOgle
The response is "Sorry, only letters (a-z), numbers (0-9), and periods (.) are allowed."
Sorry if it's presumptuous. I'm a bit curious.
I want to ask, do you think this bug is valid and deserves a bounty reward?
|
||
Comment 7•3 years ago
|
||
Thanks Mikhael for reporting and Dan for the investigation.
It looks like this code was added 5 years ago because the implementation at the time excluded firefox.com directly. So, the original reason for adding a special case is probably lost along with the reason for making .com optional.
I agree we should add /i. I don' think this is a security issue though and I'd be comfortable opening this bug up to public view.
|
|
||
Comment 8•3 years ago
|
||
This will be fixed at https://github.com/mozilla/fxa/issues/13690 so I'm going to resolve this as MOVED.
@Mikhael - as I mentioned above, I don't consider this a security issue, just a bug, so I don't think it would qualify for a bounty. I'm not a decider though - the team that determines that meets every 4 or 6 weeks, I think, and I'm sure this bug will come up then.
Thank you very much team for confirmation.
Glad to hear the fix has been released.
|
||
Updated•3 years ago
|
|
|
||
Comment 10•3 years ago
|
||
Talked to Wil and this fix will go live on August 10th at which point we'll close this as resolved.
|
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Description
•