Closed Bug 1888537 Opened 1 year ago Closed 1 year ago

User approval request status and approver details Exposure on https://normandy.cdn.mozilla.net/api/v1/approval_request/

Categories

(Firefox :: Normandy Server, defect)

Product:
Firefox
Component:
Normandy Server
Version:
Firefox 124
Type:
defect

Tracking

()

Status:
RESOLVED MOVED

People

(Reporter: bulbulbigboss, Unassigned)

References

Details

Attachments

(1 file)

Screenshot_2.png
46.95 KB, image/png
Details
Attached image Screenshot_2.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Firefox for Android

Steps to reproduce:

User approval request status and approver details Exposure on https://normandy.cdn.mozilla.net/api/v1/approval_request/

  1. Navigate to https://normandy.cdn.mozilla.net/api/v1/approval_request/
  2. All the approval_request data expose to anyone.
  3. You can also check specific user by id https://normandy.cdn.mozilla.net/api/v1/approval_request/2003/

Actual results:

User email, id and other details exposed
example {
"id": 1,
"created": "2017-04-11T22:08:14.915977Z",
"creator": {
"id": 4,
"first_name": "Rob",
"last_name": "Rayborn",
"email": "rrayborn@mozilla.com"
},
"approved": true,
"approver": {
"id": 10,
"first_name": "Tyler",
"last_name": "Downer",
"email": "tdowner@mozilla.com"
},
"comment": "+1"
}

Expected results:

Anyone should not to see other user approval request status?

Duplicate of this bug: 1888608

Possible website security issues should be reported via one of the Mozilla HackerOne bug bounty programs and not via bugzilla.

See: https://www.mozilla.org/en-US/security/web-bug-bounty/

Component: Untriaged → Normandy Server

Can I report it on hackerone?

Yes, that's what Andrew meant in comment 2.

issue moved to hackerone

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → MOVED

(In reply to Bulbul Bigboss from comment #3)

Can I report it on hackerone?

I have reported it on hackerone bellow is the report url
https://hackerone.com/reports/2448482

Group: firefox-core-security
See Also: → https://hackerone.com/reports/2448482

Hi Daniel Veditz [:dveditz]

Thanks for the response.

I just wanted to point out that although the report was marked as Informative, the issue I reported has since been fixed. This indicates that it was a valid finding and the behavior wasn’t truly expected.

If it was indeed intended to be public, there wouldn’t have been any need to make changes after the report. I’d appreciate clarification on why it was marked as Informative despite the fix, and whether similar data exposures should be reported in the future or are considered out of scope.

Thanks again,
@bulbulbigboss

Hi @Daniel Veditz

When I initially reported the issue at https://normandy.cdn.mozilla.net/api/v1/approval_request/, the endpoint was publicly exposing PII (personally identifiable information) such as full names and email addresses of Mozilla employees, along with internal approval request and approver details.

As shown in the attached screenshots {Screenshot_2.png}, this data was publicly accessible without authentication and could be enumerated through ID-based access.

However, after the report was closed as Informative, the endpoint was updated and now returns the following error:

<Error>
  <Code>NoSuchKey</Code>
  <Message>The specified key does not exist.</Message>
</Error>

This clearly indicates the issue was acknowledged and fixed. If it were truly expected behavior, I assume no changes would have been made.

Could you please clarify why the report did not qualify for a bounty, despite the fix? I'd like to better understand Mozilla’s expectations for future submissions and whether similar issues are considered in scope.

Thanks again for your time and consideration,
@bulbulbigboss

Hello Bulbul, the Normandy service is being shut down, accessing the main endpoint https://normandy.cdn.mozilla.net also returns the same error message. No changes were made as a result of your report. Thanks.

(In reply to Bulbul Bigboss from comment #8)

When I initially reported the issue at https://normandy.cdn.mozilla.net/api/v1/approval_request/, the endpoint was publicly exposing PII (personally identifiable information) such as full names and email addresses of Mozilla employees, along with internal approval request and approver details.

We believe very strongly that transparency breeds trust, and that means letting people see all the ways Firefox gets made (or in this case, experimented upon). There are people who have chosen to be pseudonymous and others who use their real names, but everyone knows their "contributor identity" is going to be public. Approvals, too, are public because in the experiment system that's kind of equivalent to checking-in code.

See https://www.mozilla.org/en-US/about/manifesto/#:~:text=Principle%208,trust.

The hackerone report did not qualify for a bounty because information related to Firefox open source development is intentionally public.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: