FastMail.com Domain Ownership Bypass via Database Truncation
Just a quick one: be wary of silent truncation in SQL databases.
In this case, I discovered that when adding email domains to FastMail, it was possible to bypass the ownership check for existing domains.
For example, if you only own id-rsa.pub
, somebody else owns microsoft.com
, and you try to add staff.microsoft.com
:
However, if you know (or can guess!) that the database column is only 255 characters, then you can try add add a value where the domain falls on the truncation boundary:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx.microsoft.com.id-rsa.pub
It will pass the ownership check (because you own id-rsa.pub
), but the value stored to the database will be a completely different eTLD+1:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx.microsoft.com.
And the database driver did not even warn you about it. Whoops!
Lessons:
- Enforce length limits on both the front-end and back-end.
- Be sure your columns are at least as long as your length limits.
Bounty
I reported this issue to FastMail.com on 2018-01-01 and received a notification within 22 hours (issue fixed), awarding a $100USD bug bounty and mention in the hall of fame.