1808276 - Lack of Password Confirmation When Deleting Account & Insecure Design of Delete Button.

Status: RESOLVED WONTFIX

(support.mozilla.org :: Users and Groups, task)

Description

[Harsh Banshpal]

Attachment: Kindly check this attached video POC for better understanding.

Issue in the Mozilla support application is that the user account can be deleted without confirming user password or re-authentication. The removal of account is one of the sensitive part of any application that needs to protect, therefore removing an account should validate the authenticity of the legitimate user.

Steps To Reproduce:

1. Login in the application.
2. Go to account settings https://support.mozilla.org/en-US/users/edit and click on delete account.
3. Then again click on delete account button.
4. Your account will be deleted without confirming user password

Insecure Delete Button
Description:
When you try to delete account a username input validation requires to delete, if you try to delete without any input, it'll not delete.
But in this case I'm able to delete any intended thing without any input.

1. Right click on that not-working delete button.
2. Click on inspect element & change disabled to enabled.
3. After that, try to click on the delete button without any valid input.
4. You'll be able to delete that account.
5. Then refresh the page for confirmation.

Impact:
Consider a situation when user forget to logout from his account or someone get access to his device and deleted the account. This situation is more severe than account takeover as there is no way to get account again. All the save information will be deleted.

Comment 1

[Gene Wood [:gene]]

Hi Harsh,
I've passed this over to the SUMO team. This won't be eligible for bug bounty as thee SUMO team has opted to require user's to enter their username (instead of password) as the control to prevent accidental account deletion. They'll make a call as to whether they want to change this from a client side username check to a server side password check.

Comment 2

[Harsh Banshpal]

Attacker can easily get the username but the password can be confidential. So, opted to require user's to their username (instead of password) as the control to prevent accidental account deletion it's just a door without any lock.
Use of password confirmation before deletion of account make website more secure.

Comment 3

[Gene Wood [:gene]]

Indeed, the point of the check is not a security control, it's meant to prevent a user from accidentally deleting their profile. You can see a similar feature in AWS when you attempt to delete something (an S3 bucket, a VPC) where it asks you to type in the name of the resource, or the word "delete".

The prompt for the username is not meant to prevent an attacker that has control of the user's session but no their password from deleting the profile.

Comment 4

[Harsh Banshpal]

(In reply to Gene Wood [:gene] from comment #3)

Indeed, the point of the check is not a security control, it's meant to prevent a user from accidentally deleting their profile. You can see a similar feature in AWS when you attempt to delete something (an S3 bucket, a VPC) where it asks you to type in the name of the resource, or the word "delete".

The prompt for the username is not meant to prevent an attacker that has control of the user's session but no their password from deleting the profile.

I want to point out a attack scenario where user forgot to logout their account from any internet-cafe or any other device then attacker easily delete their account because the lack of password confirmation.

And about S3 bucket delete procedure, AWS component (S3 Bucket) are deleting not whole account of AWS.

Comment 5

[Tasos Katsoulas [:tasos]]

Hi Harsh,

Thank you for taking the time to submit this bug. As Gene explained the purpose of the username prompt is to avoid accidental deletions of a profile and it's not considered a security mechanism. Because of that I am marking the bug as wontfix.

Thanks again for filing it!