Created attachment 743648 [details] Mozilla poc.mp4 User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Steps to reproduce: Found authentication bypass through cookies. Here User account cookies is not expire when user logout from there account. through this attacker take full access on user account. I found this issue in https://addons.mozilla.org user account. I send you Video for POC please check it out. Actual results: Watch video. Expected results: Attacker get full access on user account
assigning to rforbes for verification
> Attacker get full access on user account How does the attacker get your cookies from the TLS connection?
Its not matter if attacker reachable user system they perform some technique like if attacker known about vulnerability they perform man in middle attack to sniff or capture packet or watching user history and perform some HTTP header history recorder or saving History of HTTP Header. And using in further attack. In This video you see clear that if attacker record HTTP header then they get full access on user account. Please make sure that if user logged out then all cookies and Header will expire. This vulnerability is in-proper logged out. Thanks
@wil, can you confirm this is a sec low?
(In reply to Raymond Forbes[:rforbes] from comment #4) > @wil, can you confirm this is a sec low? it is
have you checked this vulnerability eligible for bug bounty.
Bug bounty applies to sec-high and sec-critical. Our security people have flagged this as sec-low. http://www.mozilla.org/security/bug-bounty.html
We switched to cookie based sessions. So if you can steal someones cookies, you've essentially got their entire session. There's some things we can do to limit this like checking the IP or User Agent changes (similar to Webpay). But in this example video it wouldn't make much difference. Is the IP or User Agent detection worth it? I'm not sure how else to prevent this, any ideas?
Not really. If someone is in a position to acquire the cookie from a TLS connection, it means that they have been MITM'd, there is another, more serious vulnerability in AMO, or the users' client is compromised. The useability issues introduced by IP or user agent controls would likely override the potential for mitigating a fairly unlikely attack.
When a user is logged out the session is changed, we don't leave it around. So I don't think there's anything else to do here. In the example the cookie is being intercepted and re-used and I don't think thats an attack that can be replicated without access to the target machine.
I think the suggestion is when the user logs out, we delete their session.
Delete from where?