Closed Bug 769318 Opened 13 years ago Closed 13 years ago

Display purchase complete page while the app is not purchased

Categories

(Marketplace Graveyard :: Payments/Refunds, defect)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: xli, Unassigned)

Details

Exploits: 1. I first purchase one app (e.g., novaskin here) and remembered the uuid parameter (cbb9ef1bd36441a296a3b5b9f15a55fa) within the redirection request returned by Paypal to the marketplace. GET https://marketplace.mozilla.org/en-US/app/novaskin/purchase/complete?realurl=None&uuid=cbb9ef1bd36441a296a3b5b9f15a55fa HTTP 1.1 2. I replay the request with another app name (e.g. yohoho here) that I haven't purchased and the above uuid parameter to marketplace. GET https://marketplace.mozilla.org/en-US/app/yohoho/purchase/complete?realurl=None&uuid=cbb9ef1bd36441a296a3b5b9f15a55fa HTTP 1.1 And I got a web page showing that the purchase of yohoho is complete. I was trying to trigger the app to be purchased, but it turned out to be an inconsistency of page display, not a security issue. I am just reporting this and not sure whether this is a serious bug that should be fixed. Thanks, Xiaowei
Group: client-services-security
our purchase flow is completely different. closing
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.