Domain Ownership Bypass via Database Truncation

January 2 2018

Just a quick one: be wary of silent truncation in SQL databases.

In this case, I discovered that when adding email domains to FastMail, it was possible to bypass the ownership check for existing domains.

For example, if you only own, somebody else owns, and you try to add

FastMail ownership check

However, if you know (or can guess!) that the database column is only 255 characters, then you can try add add a value where the domain falls on the truncation boundary:

It will pass the ownership check (because you own, but the value stored to the database will be a completely different eTLD+1:

And the database driver did not even warn you about it. Whoops!


  • Enforce length limits on both the front-end and back-end.
  • Be sure your columns are at least as long as your length limits.


I reported this issue to on 2018-01-01 and received a notification within 22 hours (issue fixed), awarding a $100USD bug bounty and mention in the hall of fame.