Status

addons.mozilla.org Graveyard
Developer Pages
RESOLVED INVALID
5 years ago
2 years ago

People

(Reporter: Anand Sundar Tiwari, Assigned: andym)

Tracking

(Blocks: 1 bug, {sec-low})

unspecified
2013-05-30
sec-low

Details

(Whiteboard: [site:addons.mozilla.org])

Attachments

(1 attachment)

6.15 MB, application/octet-stream
Details
(Reporter)

Description

5 years ago
Created attachment 743648 [details]
Mozilla poc.mp4

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

Steps to reproduce:

Found authentication bypass through cookies.
Here User account cookies is not expire when user logout from there account.
through this attacker take full access on user account.
I found this issue in https://addons.mozilla.org user account.
I send you Video for POC please check it out.


Actual results:

Watch video.


Expected results:

Attacker get full access on user account
assigning to rforbes for verification
Assignee: nobody → rforbes
Whiteboard: [site:addons.mozilla.org][verif?]
Group: core-security → client-services-security
Component: Untriaged → Developer Pages
OS: Windows 8 → All
Product: Firefox → addons.mozilla.org
Hardware: x86_64 → All
> Attacker get full access on user account

How does the attacker get your cookies from the TLS connection?
Flags: sec-bounty?
(Reporter)

Comment 3

5 years ago
Its not matter if attacker reachable user system they perform some technique like if attacker known about vulnerability they perform man in middle attack to sniff or capture packet or watching user history and perform some HTTP header history recorder or saving History of HTTP Header. And using in further attack.
In This video you see clear that if attacker record HTTP header then they get full access on user account.
Please make sure that if user logged out then all cookies and Header will expire.
This vulnerability is in-proper logged out.

Thanks
@wil, can you confirm this is a sec low?
Assignee: rforbes → clouserw
Keywords: sec-low
Duplicate of this bug: 873817
Blocks: 835438
(In reply to Raymond Forbes[:rforbes] from comment #4)
> @wil, can you confirm this is a sec low?

it is
Assignee: clouserw → nobody
Duplicate of this bug: 873399
(Assignee)

Updated

5 years ago
Assignee: nobody → amckay
Target Milestone: --- → 2013-05-30
(Reporter)

Comment 8

5 years ago
have you checked this vulnerability eligible for bug bounty.
Bug bounty applies to sec-high and sec-critical. Our security people have flagged this as sec-low.

http://www.mozilla.org/security/bug-bounty.html
(Assignee)

Comment 10

5 years ago
We switched to cookie based sessions. So if you can steal someones cookies, you've essentially got their entire session. There's some things we can do to limit this like checking the IP or User Agent changes (similar to Webpay). But in this example video it wouldn't make much difference.

Is the IP or User Agent detection worth it? I'm not sure how else to prevent this, any ideas?
Not really.  If someone is in a position to acquire the cookie from a TLS connection, it means that they have been MITM'd, there is another, more serious vulnerability in AMO, or the users' client is compromised.

The useability issues introduced by IP or user agent controls would likely override the potential for mitigating a fairly unlikely attack.
(Assignee)

Comment 12

5 years ago
When a user is logged out the session is changed, we don't leave it around. So I don't think there's anything else to do here. In the example the cookie is being intercepted and re-used and I don't think thats an attack that can be replicated without access to the target machine.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
I think the suggestion is when the user logs out, we delete their session.
(Assignee)

Comment 14

5 years ago
Delete from where?
Flags: sec-bounty?
Whiteboard: [site:addons.mozilla.org][verif?] → [site:addons.mozilla.org]
Duplicate of this bug: 1070105
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.