Closed Bug 702597 Opened 13 years ago Closed 13 years ago

Insufficient anti-automation on support voting buttons

Categories

(support.mozilla.org :: Forum, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: mgoodwin, Unassigned)

References

()

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-7112747][wh-7112760][wh-7112777])

Issue:
The "was this reply helpful", "I have this problem too" and "was this article helpful" functionality can be automated to place a large number of votes; all the attacker must do is block attempts to set the SUMO_ANONID cookie.

Steps to reproduce:
1) Navigate to the specified URL
2) Vote using one of the aforementioned buttons
3) Observe the vote is counted
4) clear cookies
5) repeat steps 1-3

Resolution:
It would be nice if we could do something to prevent automated abuse of this feature. Possibilities could include rate limiting requests from a particular IP or implementing a CAPTCHA.
We specifically decided these were too low-interest as a target to care. We could rate-limit voting by IP but there is no particular incentive to automate voting for a question or answer, and that risks punishing legitimate users behind NAT.

We're not going put a CAPTCHA on our lowest-barrier method of engagement. Given the type of interaction that recommendation doesn't make sense.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
That's fine. Thanks
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.