Closed
Bug 687790
Opened 14 years ago
Closed 12 years ago
UI Redressing and CSRF
Categories
(Websites Graveyard :: getpersonas.com, defect)
Websites Graveyard
getpersonas.com
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: croddz182, Unassigned)
References
Details
(Keywords: sec-low, Whiteboard: [site:www.getpersonas.com][site:forums.mozilla.org][site:addons.mozilla.org])
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Build ID: 20110902133214
Actual results:
1. getpersonas.com: UI redressing on account details, currently allowing the user's email preferences to be changed without their consent.
2. forums.mozilla.org: UI redressing on the user control panel, a good example being a privacy violation where the user's settings can be changed to show their online status.
3. Both addons.mozilla.org and getpersonas.com login features don't have a anti-CSRF token allowing brute force scripts through and CSRF attempts.
Expected results:
Use a frame busting HTTP header and Javascript to prevent UI Redressing.
Use a security token when logging in to prevent CSRF.
|
||
Comment 2•14 years ago
|
||
Since two of the three are in the AMO product I'm moving the bug. getpersonas.com is a separate component, should we clone that part into a separate bug?
Group: websites-security → client-services-security
Component: www.mozilla.org → Code Quality
Product: Websites → addons.mozilla.org
QA Contact: www-mozilla-org → code-quality
|
|
||
Updated•14 years ago
|
Component: Code Quality → Public Pages
QA Contact: code-quality → web-ui
|
|
||
Comment 3•14 years ago
|
||
www.getpersonas.com should use X-Frame-Options: DENY on the sign-in and edit account pages in addition to frame-busting scripts. Ditto forums (if not the whole site).
|
||
Comment 4•14 years ago
|
||
The new AMO login form is designed to show a captcha if the user fails auth 5 times. This form is on our staging server but isn't in production yet. I filed bug 687971 since I don't see the captcha, but the code is there so I suspect it's just not configured yet. We're testing out the new login form on our stage server right now, in an effort to get it live.
The captcha should answer the brute force problem - is there anything else here for AMO?
|
|
||
Comment 5•14 years ago
|
||
Are the AMO forums not part of AMO? there's the clickjacking problem there (3).
Isn't getpersonas being rolled into AMO? There's clickjacking there, too (2).
If those aren't considered AMO then perhaps this bug should be moved. Sounds like you were already addressing (3), though why not add an anti-CSRF token to the form anyway just in case?
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 6•14 years ago
|
||
(In reply to Daniel Veditz from comment #5)
> Are the AMO forums not part of AMO? there's the clickjacking problem there
> (3).
The forums are an install of phpbb. It's a part of AMO in name only, I suppose.
> Isn't getpersonas being rolled into AMO? There's clickjacking there, too (2).
Yep, as of right now getpersonas.com is not a part of AMO though, it has its own component, websites::gerpersonas.
> If those aren't considered AMO then perhaps this bug should be moved.
Yeah, this should be 3 bugs. 2 now I guess, since I don't think there is an AMO login issue.
> Sounds
> like you were already addressing (3), though why not add an anti-CSRF token
> to the form anyway just in case?
The new AMO form (https://addons-dev.allizom.org/en-US/firefox/users/login) does have a csrf token.
|
|
||
Comment 7•14 years ago
|
||
I filed bug 689854 for the forums. Getpersonas is end of lifed and I don't think these are sg:critical so I don't think they'd get fixed.
Regarding AMO - is there a reason to keep the bug open?
|
|
||
Comment 9•14 years ago
|
||
We'll look at problem 2 in the separate bug, but #3 is not a problem and #1 does not qualify for a bug bounty. We should still slap an X-frame-options on there since it's easy.
Group: client-services-security → websites-security
Component: Public Pages → getpersonas.com
Product: addons.mozilla.org → Websites
QA Contact: web-ui → getpersonas-com
|
|
||
Comment 12•12 years ago
|
||
(In reply to Wil Clouser [:clouserw] from comment #7)
> Getpersonas is end of lifed [...]
And yet the lightweight-themes feature was just added to Firefox for Android, so clearly people still like them. Where are they supposed to get themes if the site is dead?
|
|
||
Comment 14•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #12)
> (In reply to Wil Clouser [:clouserw] from comment #7)
> > Getpersonas is end of lifed [...]
>
> And yet the lightweight-themes feature was just added to Firefox for
> Android, so clearly people still like them. Where are they supposed to get
> themes if the site is dead?
Long running plan has been to migrate all the themes to the marketplace. See http://micropipes.com/greaterpercona/ This goal was hijacked to do b2g stuff for the past year but is still on our radar. Expect progress next year.
|
||
Updated•12 years ago
|
Whiteboard: [site:www.getpersonas.com][site:forums.mozilla.org][site:addons.mozilla.org]
|
|
||
Comment 15•12 years ago
|
||
getpersonas.com has been retired. More information at https://blog.mozilla.org/addons/2013/04/11/background-themes-have-moved-to-amo/
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
|
Assignee | |
Updated•12 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•