Closed
Bug 772818
Opened 12 years ago
Closed 9 years ago
Login CSRF on Firefox Sync Website
Categories
(Cloud Services :: Server: Account Portal, defect)
Cloud Services
Server: Account Portal
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: chetan1, Unassigned)
References
Details
(Keywords: wsec-csrf, Whiteboard: [qa?])
Attachments
(1 file)
485 bytes,
text/plain
|
Details |
The login form on the Firefox Sync website [1] is lacking a CSRF protection token. It can be tested out here: http://www.jobsify.in/thesis/check/fsync.html It is possible to make a good user login as a bad user with this exploit. [1] - https://account.services.mozilla.com/
Comment 2•12 years ago
|
||
I don't believe this attack poses a significant risk to sync users. There is no user generated content on the site, only basic account management. This would be interesting with some form of self-xss to conduct phishing attacks.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•12 years ago
|
Component: Firefox Sync: UI → Server: Account Portal
Updated•12 years ago
|
Whiteboard: [qa?]
Comment 7•9 years ago
|
||
Sounds like WONTFIX then?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Updated•9 years ago
|
Group: cloud-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•