Closed Bug 845299 Opened 11 years ago Closed 9 years ago

Phonebook :: User Login Session :: On successful sign-in user is shown error page. On altering the URL, sign in will be successful.

Categories

(Participation Infrastructure :: Phonebook, defect)

Product:
Participation Infrastructure
Component:
Phonebook
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: ravi, Unassigned)

Details

(Whiteboard: [Triage 2015-04-17])

Attachments

(1 file)

video file
2.00 MB, application/octet-stream
Details 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130116232420

Steps to reproduce:

Story:

A user ABC entered into the public cyber centre.  Signed in with her valid account in that computer for first time. She observes the error page and she keeps refreshing the page. She observes that she is not yet signed in successfully though her credentials were authetnic and valid.  Now she is fed up with this behaviour and moves out of place closing the browser.

The user LMN comes into public place and uses the same computer. LMN is a tricky guy who was watching the girl. Now he observes the browser history and fetches the URL in the same browser. Sees the error page being displayed. Now he tweaks the URL and observes he is signed in successfully.

He closes the browser instances completely. Then he opens new instance of the same browser with the URL he tweaked. He finds sign in is successful as the user ABC yet.  Now ABC being a vouched user account, LMN can start playing around using her credentials.



Important Consideration:

1. Let us not consider all the users who will be using Mozillian are tech savvy and techie. There are users who will not be aware technical details. Protection of their data and identity is as well duty of Mozilla. In above case, it is purely a mishandling and lack of context appropriate session handling failure.

2. Using Persona on public place computer where a user sat always, browsing the Mozillian URL and using 'This is Me' will take in successfully with no password prompt. This can be legally questioned too under FDC act clause of USA for showing the individual personal identity details.




What are the security violations here?
---------------------------------------------------------

* As per claims of Mozilla:

++ it violates its claims in privacy-policy.html and reveals by showing persons individual identify information. User ABC profile is open to LMN.
++ it violates the Protection of Certain Personally-Identifying Information claims. Details of user is exposed to public.





Steps to reproduce:

1. Sign in to Mozillian -- https://mozillians.allizom.org/
2. Sign in using the persona for first time in that computer with valid credentials. Choose 'This session only' option in Persona while signing in.
3. Observe the page displayed. It shows -- https://mozillians.allizom.org/browserid/verify
4. Close the browser instance completely.
5. Open the new instance of a browser.
6. Browse through URL used in previously.
7. Tweak the URL https://mozillians.allizom.org/browserid/verify to https://mozillians.allizom.org/.
8. Observe the user being signed in successfully.



Actual results:

1. Successful sign in session retained.
2. Exposure of person details publicly with no constraints. This can be problem to Mozilla as well if the exploiter is smart enough.



Expected results:

1. Session of the signed in should have been terminated on closing the browser instance.
2. Session time out is required for active session being idle for a stipulated time period.
Severity: normal → critical
Priority: -- → P1
assigned to dchan for verification
Assignee: nobody → dchan+bugzilla
Severity: critical → normal
Priority: P1 → --
Whiteboard: [verif?]
Hi Ravi,

I am unable to reproduce with the steps provided. I signed into mozillians with a new unvouched account. After selecting 'This session only' I was redirected to the create profile page. Am I missing a step?
Hi Chan,

I have missed it. Sorry, for including the steps. I do not know how it got missed; probably while copy pasting from my observation notes, I might have skipped that part.  Will update in couple of hours from now.
Hi Chan,

I have missed it. Sorry, for not including the appropriate steps. Will rework on it immediately.

I do not know how it got missed; probably while copy pasting from my observation notes, I might have skipped critical steps/actions.  Will update in couple of hours from now.  Thanks for your time in looking at this report.




(In reply to David Chan [:dchan] from comment #2)
> Hi Ravi,
> 
> I am unable to reproduce with the steps provided. I signed into mozillians
> with a new unvouched account. After selecting 'This session only' I was
> redirected to the create profile page. Am I missing a step?
Attached file video file 
Hi David,

I'm attaching the video file which includes the actions and behavior observed. If this did not help, kindly let me know. I will be happy, if the information you needed is given from us.

Sorry, last night did not network broke down in the place where I was. Hence was not able to update it. Thanks for waiting.


Attachment Detail:
1. Video file 845299_video.zip attached.
Hi Ravi,

Thanks for the video. I have reproduced the issue on the staging environment. It doesn't seem to work on production so it may be a configuration error. Both staging and production perform a POST to /browserid/verify on successful login. However this produces an error on staging (403 Forbidden). I believe you are already logged in at this point, which explains why you can navigate to the main page and have it work.

Andrei explained in bug 846641 how Persona SSO works. Although this bug doesn't appear to be a security issue in my opinion, it is a bug in our staging environment.

Will:
There appears to be some configuration error on staging which manifests as a 403

STR
1. Login to https://mozillians.allizom.org
2. Clear cookie data / local storage
3. Log back into https://mozillians.allizom.org
4. See "Something went wrong" error page
(https://mozillians.allizom.org/browserid/verify/)

Expected
No error
Assignee: dchan+bugzilla → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [verif?]
Opening up since it isn't a security issue. The workflow is confusing though.
Group: websites-security
Hi David,

smiles... I missed to included clearing active sessions details (cookies, cache). That was a mistake from my end.

We had a guess could it be a configuration mismatch behavior at time of investigation.  But, on analyzing the impact with scenario based testing noticed how a user can be impacted.

It is about perspective and modeling of the problem impact. The perspective we derived shows that is to do with user account.  It is like this, Andrei uses his personal laptop or desktop to sign in to Mozillian.  But Mozillian is not just for people who have personal computer or laptop, am I right in my understanding?

If you take a geographical location as India or in Asia, schools, universities, aspirants does not necessarily have or own the personal laptop or computers.  They have to browse or work from public computers (internet parlour, someone's computer etc).  Imagine, me thought not a employee of Mozilla, still a contributor to Mozilla.

Now, Privacy Policy on Mozillian clearly states anything that harms user identity and revealing of identity is a concern to Mozilla as well to person (contributor).  Also, in Legal Disclaimers and Limitations written on Mozillian says, anything impacted to Mozilla and its users from "Responsibility of Contributors" and "Responsibility of Website Users" clauses it is a problem to contributor.  

Why it turns out to be a security problem to contributor? Because she/he used computer from public place.  And this all arises from Persona or configuration error; fine, for me as an user it is a single product -- Mozillian. And it is causing me all this.

What if Andrei was a student from Asian geographical location using public computers and underwent this problem from a person who exploited his work and credibility in Mozilla?  Don't it fall under security for identify and tampering his individual identity and contribution?

As a tester, I cannot refrain my modeling and thoughts to one angle. Also I cannot limit myself saying this is not Mozillian problem. It is Mozillian problem for now as the product is used by an integration to Mozillian for signing in.


Hope my advocacy helps to see the problem.
This sources which I read often helps me to support my advocacy -- http://www.mozilla.org/en-US/privacy-policy.html  and  http://www.mozilla.org/en-US/about/legal.html
This seems invalid to current UI and more relevant to Persona.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Whiteboard: [Triage 2015-04-17]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: