Hi All,
We recently identified a problem with the handling of unicode email addresses in fxa-auth-server that, when used with certain configurations of MySQL, might allow the creation of fraudulently verified accounts. Anyone hosting their own copy of this software is encouraged to upgrade to the latest version (tag “v1.57.1” or later from github). More details below, but I want to express two key points up front: - This issue has *not* impacted the production accounts servers that power https://accounts.firefox.com, as our production database configuration was not susceptible to the problem described below. - The strong encryption used by Firefox Sync means that, even if this issue had turned out to affect our production environment, it could not have lead to the disclosure of any of our users private sync data. That said, we did discover a security issue in some of our development environments, meaning it may also be present in self-hosted setups. I’m sending this notice as a precaution. If you’re running your own copy of fxa-auth-server, please update it as soon as possible. Any questions or concerns should be directed to: [email protected] More details below. Thanks, Ryan ---- What was the problem? ===================== Firefox Accounts accepts internationalized email addresses, and we were storing these unicode strings in MySQL as a VARCHAR column without ensuring that an appropriate character encoding had been specified. A common configuration of MySQL is to use the “utf8” charset for storing unicode characters in such a column. Unfortunately MySQL’s “utf8” charset is not capable of storing the full range of unicode characters, and will truncate strings containing characters outside the Basic Multilingual Plane [1]. The correct encoding to use for such characters is “utf8mb4”, but the FxA code was not explicitly requesting this. As a result, FxA servers running atop such a MySQL database could be tricked into creating fraudulently verified accounts. By using a carefully crafted email address containing non-BMP unicode characters, an attacker could cause the verification email to be sent to a different address than the one recorded in the database. We were able to confirm the existence of this problem in our development and staging environments. Fortunately, the main Mozilla-hosted service at https://accounts.firefox.com was not affected, as that database was using the “latin1” charset for storage of unicode strings. This is *not* a recommended solution, and we will be updating this database to use the “utf8mb4” charset in future. How has it been fixed? ====================== We have added a short-term mitigation that explicitly rejects email addresses containing non-BMP unicode characters, to prevent the creation of fraudulently verified accounts regardless of MySQL database configuration. A future update to fxa-auth-server will explicitly request the “utf8mb4” charset for storage of all unicode strings. This is not yet available as it will require significant QA work to ensure it can run in an automated, backwards-compatible fashion, and we did not want to delay availability of a short-term fix for the issue. What do I need to do? ===================== If you’re using the Mozilla-hosted Firefox Accounts servers, nothing. The MySQL configuration on our production database was not susceptible to this issue, and we have deployed additional mitigations to guard against any similar problems in the future. If you’re running your own Firefox Accounts servers atop a MySQL database using the “utf8” charset, then you should: - Upgrade to the latest version of fxa-auth-server, tag “v1.57.1” or later from github. This version explicitly rejects email addresses containing non-BMP unicode characters. - Check for and enable “strict mode” in your MySQL configuration [2]. This will cause MySQL to return an error rather than silently truncating strings. - If available, audit your email sending logs to check for outgoing emails to unexpected Internationalized domains. [1] https://mathiasbynens.be/notes/mysql-utf8mb4 [2] https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sql-mode-strict _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
