Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug Title : Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://bugzilla.mozilla.org/

Description : In Developers Bugzilla account you have option of Component watching feature where you can save your preference of bug watch.

Exact link : https://bugzilla.mozilla.org/userprefs.cgi?tab=component_watch

When you save the component watch it is saved with a ID.Now when delete it ,The vulnerable HTTP request will delete the Component watch ID .You can change the component ID and delete any user's Component.By running script you can delete all user's component watch.

Video POC link: https://www.dropbox.com/sc/b581mjcf95gbmek/AAC4OBJtn2Aol8HdGg7bCZpTa


Mozilla fixed a issue within a Day and rewarded within few days.

Reward : 2000$

Thanks for reading.


Comments

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

Account Takeover of All Souq.com users by Adding new Email(CSRF)