Closed Bug 282260 Opened 20 years ago Closed 20 years ago

When above URL was forwarded to colleague it gave him full access to my email account at rr34@nyu.edu

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: rr34, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

I was in Mozilla.  I forwarded a page to colleague.  It went to MSN to forward
link.  When Colleague received link it gave him full access to my email account
at NYU.  When I complained to MSN/Verizon they said the problem was with
Mozzila, not them.

Reproducible: Always

Steps to Reproduce:
1.Go to inbox.
2.Select Poynter on line
3.Forward document from poynter to colleague. Forwarding wen thru MSN site.

Actual Results:  
When colleague received link and clicked on it, it gave him full access to my
email account at NYU.  I tested this by sending document to myself and it did
just what my colleague said.

Expected Results:  
Send only the document forwarded.
This problem actually has nothing to do with either MSN/Verizon or Mozilla, this
is NYU's fault.  Complain to them.  They included a session ID in the URL, and
trusted it when it was used from a different IP address.  In my opinion this is
completely the fault of the website.
Assignee: Bugzilla-alanjstrBugs → general
Group: webtools-security → mozillaorgconfidential
Component: Web Site → General
Product: Update → Mozilla Application Suite
QA Contact: mozilla.update → general
Target Milestone: 1.0 → ---
fixing security flag to correct security group
Group: mozillaorgconfidential → security
Agreed. Passing session info in URLs has been a no-no of web application design
for nearly the entire history of the web--it didn't take long to figure out the
problems with that approach. Note that it's an "http:" URL, meaning no
encryption used. Anyone with access to the network cable (or worse, wireless
hotspot) between you and the mail server could read and use that session ID.

Checking the source IP can help, but with people sitting behind routers and
proxies sharing IP addresses that alone doesn't make it safe to pass a session
ID around in the URL.

Luckily the sessionID only works while you're logged on so the window of
vulnerability can be reduced if you explicitly log out rather than simply wait
for the session to time out.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
I noticed the website's title is "iPlanet Messenger Express" -- I sure hope the
session ID flaw doesn't persist in the mail server RedHat recently bought from
AOL who got it back after the iPlanet joint venture with Sun came to an end.
We'll certainly have a look and see before we do release any software based on it.
You need to log in before you can comment on or make changes to this bug.