Closed
Bug 738776
Opened 12 years ago
Closed 12 years ago
Prevent repeat in-app payments with nonce
Categories
(addons.mozilla.org Graveyard :: API, defect, P1)
Tracking
(Not tracked)
RESOLVED
WONTFIX
6.5.1
People
(Reporter: kumar, Assigned: kumar)
References
Details
Implement some sort of nonce to prevent in-app payments from being submitted twice (and also to prevent replay attacks).
|
Assignee | |
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Target Milestone: 6.4.8 → 6.4.9
|
|
||
Updated•12 years ago
|
Target Milestone: 6.4.9 → 6.5.0
|
|
Assignee | |
Updated•12 years ago
|
Target Milestone: 6.5.0 → 6.5.1
|
|
Assignee | |
Comment 1•12 years ago
|
||
This bug was originally filed after security discussions. However, I chatted with rforbes about it and we decided it's a wontfix. Here are our reasons: - The app hosting the iframe won't be able to sniff the POST requests made when the user clicks the confirm button so they can't do a replay attack (rforbes may try to see if he can get sniffing to work) - We already have a csrf token on the confirmation form so we can trust the POST came from our confirmation form In addition to a replay attack, the original topic also included stopping a user from accidentally buying something twice. We decided we can't really prevent that because any product can be legitimately bought twice. We may want to introduce some basic protection for this though like disabling the confirm button after the first click.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•