Closed Bug 730946 Opened 12 years ago Closed 12 years ago

Vote-limiting code in Firefox Flicks appears to be bypassable

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pauljt, Unassigned)

References

Details

Firefox Flicks has a voting mechanism. There is a protection in the code which appears to limit voting, however it appears implemented on the client-side using cookies, which means that it is trivial to bypass. Note that this coulndn't be tested as there were no videos on the site during testing, so needs to be confirmed by developer.

The code is question is located:

https://github.com/mozilla/firefox-flicks/blob/master/flicks/videos/views.py (line 181)

def upvote(request, video_shortlink):
    """Add an upvote to a video."""
    response = HttpResponse(mimetype='application/json')
    if video_shortlink in request.COOKIES:
        response.status_code = 403
        response.content = json.dumps({'error': 'already voted'})
        return response

So it appears that after voting, a user's cookie is set to prevent them voting again. Instead consider storing this on the user's server side session so it can't be modified.
This is expected. The votes won't actually be used in the judging, so we're not concerned about users cheating the system.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Summary: Voting limiting code in Firefox Flicks appears to be bypassable → Vote-limiting code in Firefox Flicks appears to be bypassable
You need to log in before you can comment on or make changes to this bug.