What I Learned This Week

HTTP 400 (Bad Request) on Mozilla’s Auth0 Passwordless Login

As previously mentioned, Mozilla decommissioned Persona and moved to Auth0 as authentication provider. During the past days, we received reports that users were returned HTTP 400 (Bad Request) upon login. With KaiRo‘s help we tracked down an issue in Auth0‘s plain text URL encoding. Awesome find! Big kudos to KaiRo!

For full details, please read on.

Steps to reproduce

User-facing error message

Upon clicking the login URL from the text/plain content, the browser:

Root cause analysis

The passwordless authentication email full message looks like this (simplified content):

Content-Type: multipart/alternative;
 boundary="----sinikael-?=_1-14816452544280.8165679203812033"
From: Mozilla SSO <noreply@sso.mozilla.com>
Subject: Welcome to reps.mozilla.org
X-Mailer: nodemailer (2.3.0; +http://nodemailer.com/; SES/1.3.0)
Date: Tue, 13 Dec 2016 16:07:34 +0000


------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Welcome to reps.mozilla.org!

Click and confirm that you want to sign in to=
 reps.mozilla.org. This link will expire in five minutes:

https://auth.mozilla.auth0.com/passwordless/verify_redirect?=
scope=3Dopenid&amp;response_type=3Dcode&amp;redirect_uri=3Dhttps%3A%2F%2Fre=
ps.mozilla.org%2Foidc%2Fcallback%2F [other parameters removed for privacy]

If you are having any issues with your =
account, please don't hesitate to contact us by replying to this mail.

Thanks!
reps.mozilla.org

------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3=
.org/1999/xhtml">

[Content removed for sake of readability.]
</html>
------sinikael-?=_1-14816452544280.8165679203812033--

The relevant part is the text/plain section. The URL parameters are encoded incorrectly. Instead of a simple & (ampersand), the parameters are concatenated via a HTML encoded ampersand (&amp;). This breaks the URL, resulting in the HTTP 400 (Bad Request).

Next steps

We opened a ticked with Auth0 and expect this to be fixed soon.

Credits

Kudos to KaiRo for reporting and tracking this down.

Awesome Mozilla InfoSec team for following up and keeping the energy level high!