$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization

A security researcher has discovered that attackers were able to delete Firefox accounts, provided they had the associated email address and password.
The vulnerability lay in the fact that the ‘account destroy’ endpoint did not require authentication from an authorisation header.
Furthermore, the hashed password necessary to delete an account was generated in plaintext JavaScript, meaning that once a user had entered their password, it was potentially retrievable by an attacker.
The issue has been fixed, and the researcher was paid a $1,000 bug bounty.
This discovery yet again highlights the importance of two-factor authentication and the potential risks associated with password-only log-in processes.

Fast Feed