1846964 - [HackerOne] A user can still edit his/her answer after it has been accepted leading to loss of integrity

Status: NEW

(support.mozilla.org :: General, enhancement)

Description

[Frida K [:frida]]

Link: https://hackerone.com/reports/2089307
Date: 2023-07-29 10:56:05 UTC
By: tomorrowisnew_
Weakness: Business Logic Errors

Details:

Summary:

After the author of the question picked the right answer. That answer will be shown for other people having the same question. The website shouldn't allow a user to edit his/her answer after having it accepted, because this might lead to misinformation

Steps To Reproduce:

1. Have 2 accounts, in support.allizom.org. We will call these 2 users as user a and user b respectively
2. As user a, create a question, in https://support.allizom.org/en-US/questions/new/desktop/form
3. As user b, make an answer
4. As user a, mark user b's answer as the solution
5. Now user b's answer is shown as the right answer when visiting the question
6. As user b, edit your answer. See that you still can and it will reflect the answer shown when viewing the question

Impact

Summary:

With this, a user can spread misinformation, by providing wrong answers to new users

Comment 1

[Frida K [:frida]]

Hello Tasos,

Can you please take a look? I don't think this a security issue and I closed it as informative on HackerOne. I am curious whether it would be possible to lock the answer once it's chosen as the accepted answer.

Thanks,
Frida

Comment 2

[Tasos Katsoulas [:tasos]]

Hi Frida,

I would agree that it's not a security bug. I will keep this bug open and have a conversation with the stakeholders about the functionality of the site and whether we want to lock the editing of a question after it's marked as the solution.

Comment 3

[Tasos Katsoulas [:tasos]]

Frida, could you remove the security flag? I don't have the permission to do so

Comment 4

[Frida K [:frida]]

Done. Please let me know if you need anything else.