Details
-
Bug
-
Resolution: Fixed
-
High
Description
First: please add instructions to your support site for what users should do when they find potentiallydamaging vulnerabilities with your site. If you don't have instructions for how security issues should be handled, it doesn't give the impression that you care very much.
In many cases it is trivial for a malicious user to cause issues and issue comments on BitBucket to be deleted. Their delete links are simple unauthenticated HTTP GET requests. As you should know, these must never be used to trigger the modification of significant data.
A malicious user just needs to post a comment that tries to load the delete URL as an image. When that comment is viewed by a user with appropriate permissions, it will cause the target issue or comment to be deleted.
This could be set up to also delete the payload comment, nicely cleaning up the evidence of the abuse. (At least from our perspective. I hope you would have still some internal records/logs.)
I have successfully used this technique to cause issues owned by teammates of mine to be deleted, by including the delete URL as an image in one of our team chat rooms.