Insufficient anti-automation on support voting buttons

RESOLVED WONTFIX

Status

support.mozilla.org
Forum
RESOLVED WONTFIX
7 years ago
2 years ago

People

(Reporter: mgoodwin, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:bestpractice][ws:low][wh-7112747][wh-7112760][wh-7112777], URL)

(Reporter)

Description

7 years ago
Issue:
The "was this reply helpful", "I have this problem too" and "was this article helpful" functionality can be automated to place a large number of votes; all the attacker must do is block attempts to set the SUMO_ANONID cookie.

Steps to reproduce:
1) Navigate to the specified URL
2) Vote using one of the aforementioned buttons
3) Observe the vote is counted
4) clear cookies
5) repeat steps 1-3

Resolution:
It would be nice if we could do something to prevent automated abuse of this feature. Possibilities could include rate limiting requests from a particular IP or implementing a CAPTCHA.
We specifically decided these were too low-interest as a target to care. We could rate-limit voting by IP but there is no particular incentive to automate voting for a question or answer, and that risks punishing legitimate users behind NAT.

We're not going put a CAPTCHA on our lowest-barrier method of engagement. Given the type of interaction that recommendation doesn't make sense.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 2

7 years ago
That's fine. Thanks
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.