Insufficient Session Expiration

RESOLVED INVALID

Status

Cloud Services
General
RESOLVED INVALID
5 years ago
3 years ago

People

(Reporter: HIMANSHU KUMAR DAS, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
Created attachment 733320 [details]
PoC.avi

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130307023931

Steps to reproduce:

I logged in to https://account.services.mozilla.com with my credentials.


Actual results:

I logged out of the mozilla service , went back and refresh the page. I was able to login again without entering any credentials. This is the high severity  	
Insufficient Session Expiration bug in the https://account.services.mozilla.com


Expected results:

As, I have clecked on the logout, the earlier user session should have been destroyed and on refreshing the page, I should have been asked to enter my login credentials.
I am unable to reproduce this behavior. If I log out and refresh the page I am re-prompted for credentials. It is likely refreshing your page from your local cache.
Blocks: 835618
Flags: sec-bounty-
(Reporter)

Comment 2

5 years ago
Created attachment 733388 [details]
Proof Of Concept

Proof Of Concept Video
(Reporter)

Comment 3

5 years ago
Hi Curtis,

I have tried in another browser too, I am getting the same result.

Curtis, I would like to explain the bug from the exploit scenario.

In the video I have demonstrated that I have successfully logged in to my firefox account. After I click on logout option. I get the message that I have been logged out, but if I go back and refresh the page, I am not being prompted to re-enter my password.

This could be malicious in the scenario that, if a victim logouts to his account and leave the browser open, the attacker might utilize victim's last session by going back and refreshing the page.

I have attached 2 video as a Proof of Concept in my bug submission. 

Thank You.


Regards
Himanshu Kumar Das
You are reloading a local cache, if you actually try to change the password the page will prompt you to login again. So yes the page is drawn as you saw it as the page is being loaded from the local cache, but as the session has expired you can't actually do anything.
Group: mozilla-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
I made PoC videos private as they may contain the reporters actual account information
(Reporter)

Comment 6

5 years ago
Hi Curtis,

I have a doubt again,

According to you, even though I can go back refresh the page and load the page from the cache, I would not be able to change the password, but here on my end I am logging out of my account,I am going back, and refreshing the page, I am allowed to change the password. After changing the password. I am able to login to my account with new password.

Please, take a time to have a look on my another video PoC:

https://www.dropbox.com/s/a3en2buuj40aj5r/Poc3.avi


In the above video PoC, I click on logout, so after clicking on logout,I get the message that I have been logged out from my account. But if I go back, refresh the page, I can use the change password functionality, and change the password, which is completely wrong. I shouldn't be allowed to change the password, just by accessing the page from the local cache.

On clicking the logout hyperlink, by current session should strictly be destroyed which I am not able to observe at my end.

Thank You.

Regards
Himanshu Kumar Das

Comment 7

5 years ago
Hi Himanshu,

I've looked at your latest video and agree with Curtis' assessment. During your video, at approximately 32 seconds, you reload the page and a prompt appears. If you look at the prompt closely, you will see that it is telling you that the page will resubmit form/post data. This has the side-effect of logging you in again. If you change the steps to

- signout
- visit https://account.services.mozilla.com/

you will see that you have actually been logged out.

Thanks for looking into this issue for us
(Reporter)

Comment 8

5 years ago
Hi David/Curtis,

I am still not satisfied with the conversation and have a doubt.

I would like to elaborate the exploit scenario in real world

Steps in a real world exploit scenario:

1. I logged in to https://account.services.mozilla.com/ on a shared/public system
2. I click on the Signout hyperlink (https://account.services.mozilla.com/logout)
3. I get a message --> "Thanks for visiting. You have been logged out! "
4. I left the browser open.
5. Another user comes in , clicks on back button on the browser, then refresh. He get a prompt asking if he wants to resend the POST data.
6. He resends, logged into my account, changes my password.
7. Password changed successfully.

Here, I want to focus on Step 3 and Step 5.

In Step3. if i get a message that i had been logged out, then my doubut is how come someone be able to resend the POST data again and log in to my account again?

In Step5, Why am i allowed to resend the POST data again, if i have already logged out. the point to notice is the logout event is taking place before the going back and pressing refresh. regardless of the message from the logout, i m able to resend the earlier POST data and login back to my account.

In the video, i have also demnostrated the password was changed successfully.

I request you to please have a look on the issue again.

Thank You.

Regards
Himanshu Kumar Das
You need to log in before you can comment on or make changes to this bug.