Summary

Security researcher erdy uncovered a serious vulnerability in Mozilla’s account management API. The flaw allowed attackers to delete any Firefox user account by sending a single unauthenticated POST request — provided they knew the user’s password. Shockingly, the endpoint `/v1/account/destroy` did not require two-factor authentication (2FA) or even an Authorization header.

This vulnerability highlights a major oversight in backend validation, especially in high-impact actions like account deletion.

Bug Bounty Reward: \$1,000

The Vulnerable Endpoint

The Mozilla account API exposed the following endpoint:

POST https://api-accounts.stage.mozaws.net/v1/account/destroy

This endpoint was responsible for account deletion and expected only two fields in the body:

{
  "email": "<target_email>",
  "authPW": "<hashed_password>"
}

No Authorization header or valid session token was required. Even more concerning — the authPW value was generated client-side, using public JavaScript…