As previously mentioned, Mozilla decommissioned Persona and moved to Auth0 as authentication provider. During the past days, we received reports that users were returned HTTP 400 (Bad Request) upon login. With KaiRo‘s help we tracked down an issue in Auth0‘s plain text URL encoding. Awesome find! Big kudos to KaiRo!
For full details, please read on.
Steps to reproduce
- Open reps.mozilla.org
- In the top right, select Login
- On Mozilla’s Auth0 Log in page, select Log in with Email
- Enter your email address
- Press Send Email
- In your mail open the message from Mozilla SSO and view source
- In Gmail: Options > Show original
- In Thunderbird: View > Message Source (or ⌘U)
- Take the login URL from section “Content-Type: text/plain” and paste it into your browser
- A web page displaying “Oops!, something went wrong” is loaded
User-facing error message
Upon clicking the login URL from the text/plain content, the browser:
- Opens a URL starting with https://auth.mozilla.auth0.com/passwordless/verify_redirect
- The web page says “Oops!, something went wrong“
- Clicking on TECHNICAL DETAILS > See details for this error shows: invalid_request: missing client_id parameter
Root cause analysis
The passwordless authentication email full message looks like this (simplified content):
Content-Type: multipart/alternative; boundary="----sinikael-?=_1-14816452544280.8165679203812033" From: Mozilla SSO <firstname.lastname@example.org> Subject: Welcome to reps.mozilla.org X-Mailer: nodemailer (2.3.0; +http://nodemailer.com/; SES/1.3.0) Date: Tue, 13 Dec 2016 16:07:34 +0000 ------sinikael-?=_1-14816452544280.8165679203812033 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Welcome to reps.mozilla.org! Click and confirm that you want to sign in to= reps.mozilla.org. This link will expire in five minutes: https://auth.mozilla.auth0.com/passwordless/verify_redirect?= scope=3Dopenid&response_type=3Dcode&redirect_uri=3Dhttps%3A%2F%2Fre= ps.mozilla.org%2Foidc%2Fcallback%2F [other parameters removed for privacy] If you are having any issues with your = account, please don't hesitate to contact us by replying to this mail. Thanks! reps.mozilla.org ------sinikael-?=_1-14816452544280.8165679203812033 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.= w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns=3D"http://www.w3= .org/1999/xhtml"> [Content removed for sake of readability.] </html> ------sinikael-?=_1-14816452544280.8165679203812033--
The relevant part is the text/plain section. The URL parameters are encoded incorrectly. Instead of a simple & (ampersand), the parameters are concatenated via a HTML encoded ampersand (&). This breaks the URL, resulting in the HTTP 400 (Bad Request).
We opened a ticked with Auth0 and expect this to be fixed soon.
Kudos to KaiRo for reporting and tracking this down.
Awesome Mozilla InfoSec team for following up and keeping the energy level high!