User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Build ID: 20130116232420 Steps to reproduce: Story: A user ABC entered into the public cyber centre. Signed in with her valid account in that computer for first time. She observes the error page and she keeps refreshing the page. She observes that she is not yet signed in successfully though her credentials were authetnic and valid. Now she is fed up with this behaviour and moves out of place closing the browser. The user LMN comes into public place and uses the same computer. LMN is a tricky guy who was watching the girl. Now he observes the browser history and fetches the URL in the same browser. Sees the error page being displayed. Now he tweaks the URL and observes he is signed in successfully. He closes the browser instances completely. Then he opens new instance of the same browser with the URL he tweaked. He finds sign in is successful as the user ABC yet. Now ABC being a vouched user account, LMN can start playing around using her credentials. Important Consideration: 1. Let us not consider all the users who will be using Mozillian are tech savvy and techie. There are users who will not be aware technical details. Protection of their data and identity is as well duty of Mozilla. In above case, it is purely a mishandling and lack of context appropriate session handling failure. 2. Using Persona on public place computer where a user sat always, browsing the Mozillian URL and using 'This is Me' will take in successfully with no password prompt. This can be legally questioned too under FDC act clause of USA for showing the individual personal identity details. What are the security violations here? --------------------------------------------------------- * As per claims of Mozilla: ++ it violates its claims in privacy-policy.html and reveals by showing persons individual identify information. User ABC profile is open to LMN. ++ it violates the Protection of Certain Personally-Identifying Information claims. Details of user is exposed to public. Steps to reproduce: 1. Sign in to Mozillian -- https://mozillians.allizom.org/ 2. Sign in using the persona for first time in that computer with valid credentials. Choose 'This session only' option in Persona while signing in. 3. Observe the page displayed. It shows -- https://mozillians.allizom.org/browserid/verify 4. Close the browser instance completely. 5. Open the new instance of a browser. 6. Browse through URL used in previously. 7. Tweak the URL https://mozillians.allizom.org/browserid/verify to https://mozillians.allizom.org/. 8. Observe the user being signed in successfully. Actual results: 1. Successful sign in session retained. 2. Exposure of person details publicly with no constraints. This can be problem to Mozilla as well if the exploiter is smart enough. Expected results: 1. Session of the signed in should have been terminated on closing the browser instance. 2. Session time out is required for active session being idle for a stipulated time period.
assigned to dchan for verification
Hi Ravi, I am unable to reproduce with the steps provided. I signed into mozillians with a new unvouched account. After selecting 'This session only' I was redirected to the create profile page. Am I missing a step?
Hi Chan, I have missed it. Sorry, for including the steps. I do not know how it got missed; probably while copy pasting from my observation notes, I might have skipped that part. Will update in couple of hours from now.
Hi Chan, I have missed it. Sorry, for not including the appropriate steps. Will rework on it immediately. I do not know how it got missed; probably while copy pasting from my observation notes, I might have skipped critical steps/actions. Will update in couple of hours from now. Thanks for your time in looking at this report. (In reply to David Chan [:dchan] from comment #2) > Hi Ravi, > > I am unable to reproduce with the steps provided. I signed into mozillians > with a new unvouched account. After selecting 'This session only' I was > redirected to the create profile page. Am I missing a step?
Created attachment 719852 [details] video file Hi David, I'm attaching the video file which includes the actions and behavior observed. If this did not help, kindly let me know. I will be happy, if the information you needed is given from us. Sorry, last night did not network broke down in the place where I was. Hence was not able to update it. Thanks for waiting. Attachment Detail: 1. Video file 845299_video.zip attached.
Hi Ravi, Thanks for the video. I have reproduced the issue on the staging environment. It doesn't seem to work on production so it may be a configuration error. Both staging and production perform a POST to /browserid/verify on successful login. However this produces an error on staging (403 Forbidden). I believe you are already logged in at this point, which explains why you can navigate to the main page and have it work. Andrei explained in bug 846641 how Persona SSO works. Although this bug doesn't appear to be a security issue in my opinion, it is a bug in our staging environment. Will: There appears to be some configuration error on staging which manifests as a 403 STR 1. Login to https://mozillians.allizom.org 2. Clear cookie data / local storage 3. Log back into https://mozillians.allizom.org 4. See "Something went wrong" error page (https://mozillians.allizom.org/browserid/verify/) Expected No error
Opening up since it isn't a security issue. The workflow is confusing though.
This sources which I read often helps me to support my advocacy -- http://www.mozilla.org/en-US/privacy-policy.html and http://www.mozilla.org/en-US/about/legal.html
This seems invalid to current UI and more relevant to Persona.