Closed
Bug 702597
Opened 13 years ago
Closed 13 years ago
Insufficient anti-automation on support voting buttons
Categories
(support.mozilla.org :: Forum, task)
support.mozilla.org
Forum
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mgoodwin, Unassigned)
References
()
Details
(Whiteboard: [infrasec:bestpractice][ws:low][wh-7112747][wh-7112760][wh-7112777])
Issue: The "was this reply helpful", "I have this problem too" and "was this article helpful" functionality can be automated to place a large number of votes; all the attacker must do is block attempts to set the SUMO_ANONID cookie. Steps to reproduce: 1) Navigate to the specified URL 2) Vote using one of the aforementioned buttons 3) Observe the vote is counted 4) clear cookies 5) repeat steps 1-3 Resolution: It would be nice if we could do something to prevent automated abuse of this feature. Possibilities could include rate limiting requests from a particular IP or implementing a CAPTCHA.
Comment 1•13 years ago
|
||
We specifically decided these were too low-interest as a target to care. We could rate-limit voting by IP but there is no particular incentive to automate voting for a question or answer, and that risks punishing legitimate users behind NAT. We're not going put a CAPTCHA on our lowest-barrier method of engagement. Given the type of interaction that recommendation doesn't make sense.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 2•13 years ago
|
||
That's fine. Thanks
Comment 3•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•