HTTP 400 (Bad Request) on Mozilla’s Auth0 Passwordless Login

As previously mentioned, Mozilla decommissioned Persona and moved to Auth0 as authentication provider. During the past days, we received reports that users were returned HTTP 400 (Bad Request) upon login. With KaiRo‘s help we tracked down an issue in Auth0‘s plain text URL encoding. Awesome find! Big kudos to KaiRo!

For full details, please read on.

Steps to reproduce

  • Open reps.mozilla.org
  • In the top right, select Login
  • On Mozilla’s Auth0 Log in page, select Log in with Email
  • Enter your email address
  • Press Send Email
  • In your mail open the message from Mozilla SSO and view source
    • In Gmail: Options > Show original
    • In Thunderbird: View > Message Source (or ⌘U)
  • Take the login URL from section “Content-Type: text/plain” and paste it into your browser
  • A web page displaying “Oops!, something went wrong” is loaded

User-facing error message

Upon clicking the login URL from the text/plain content, the browser:

  • Opens a URL starting with https://auth.mozilla.auth0.com/passwordless/verify_redirect
  • The web page says “Oops!, something went wrong
  • Clicking on TECHNICAL DETAILS > See details for this error shows: invalid_request: missing client_id parameter

Auth0 HTTP 400.png

Root cause analysis

The passwordless authentication email full message looks like this (simplified content):

Content-Type: multipart/alternative;
 boundary="----sinikael-?=_1-14816452544280.8165679203812033"
From: Mozilla SSO <noreply@sso.mozilla.com>
Subject: Welcome to reps.mozilla.org
X-Mailer: nodemailer (2.3.0; +http://nodemailer.com/; SES/1.3.0)
Date: Tue, 13 Dec 2016 16:07:34 +0000


------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Welcome to reps.mozilla.org!

Click and confirm that you want to sign in to=
 reps.mozilla.org. This link will expire in five minutes:

https://auth.mozilla.auth0.com/passwordless/verify_redirect?=
scope=3Dopenid&amp;response_type=3Dcode&amp;redirect_uri=3Dhttps%3A%2F%2Fre=
ps.mozilla.org%2Foidc%2Fcallback%2F [other parameters removed for privacy]

If you are having any issues with your =
account, please don't hesitate to contact us by replying to this mail.

Thanks!
reps.mozilla.org

------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3=
.org/1999/xhtml">

[Content removed for sake of readability.]
</html>
------sinikael-?=_1-14816452544280.8165679203812033--

The relevant part is the text/plain section. The URL parameters are encoded incorrectly. Instead of a simple & (ampersand), the parameters are concatenated via a HTML encoded ampersand (&amp;). This breaks the URL, resulting in the HTTP 400 (Bad Request).

Next steps

We opened a ticked with Auth0 and expect this to be fixed soon.

Credits

Kudos to KaiRo for reporting and tracking this down.

Awesome Mozilla InfoSec team for following up and keeping the energy level high!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s