Closed Bug 700609 (wh-6095479) Opened 13 years ago Closed 13 years ago

Insufficient Anti-automation on AMO abuse form for authenticated users

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: mgoodwin, Unassigned)

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-6095479][wh-7453206]) 

Issue:

When not authenticated to the application, a CAPTCHA is used when reporting abuse. However, once authenticated, the CAPTCHA is no longer required and is not displayed on the 'Report Abuse' page.

Remediation:

Captca should be required for authenticated to prevent automated attacks.
Alias: wh-6095479
Group: client-services-security
Whiteboard: [infrasec:bestpractice][ws:low][wh-6095479] → [infrasec:bestpractice][ws:low][wh-6095479][wh-7453206]
Alternative remediation could also include something like limiting the rate of requests for a given user.
Summary: CAPTCHA missing on AMO abuse form for authenticated users (Insufficient Anti-automation) → Insufficient Anti-automation on AMO abuse form for authenticated users
This hasn't been a problem in the past and it's something we'll deal with if it comes up.  Submissions here do nothing but add to a queue so there may be opportunity for a weak DoS but automated abuse isn't going to have lasting repercussions.

-> wontfix
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Thanks
Status: RESOLVED → VERIFIED
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.