Identity/SecurityAdvisories/MOZID-20121204
Announced: December 4, 2012
A few weeks ago, Mozilla discovered a security hole in the implementation of the Persona service. We developed and deployed a fix within 24 hours. Over the weeks that followed, we meticulously reviewed our database and confirmed that this issue had not been exploited. As a result, we believe with high confidence that no users were affected. We want to tell you more about what happened, how we addressed it, and how we will continue to secure the Persona login service.
Though we reacted and deployed a fix immediately, we took a little while to disclose this issue, because we wanted to conduct a thorough investigation to ensure that, prior to our fix, users had not been affected. By the time we were done, it was Thanksgiving Holiday in the US, and we didn't want to bury the disclosure during a vacation period – that's not our style. Since we had strong early hints that users were not affected, we believe this delay was acceptable. However, in the future, in our continuing effort to be safe and fully transparent (as per https://blog.mozilla.org/security/2012/10/31/mozillas-commitment-to-security/), we'll strive to disclose more promptly.
Background
Mozilla Persona is an easy-to-use and easy-to-deploy login system for the Web. Users verify their email address with Persona, and Persona then certifies those email addresses to web sites to which the user wishes to log into. Persona is designed to be de-centralized: any domain can stand up as its own Persona Identity Provider, certifying its users directly rather than having one central service for everyone. The Persona Service stores the user's list of email addresses and issues certificates for them, unless that email address belongs to a domain that has stood up a Persona Identity Provider service, in which case Persona lets that domain issue certificates directly.
The Vulnerability
One entry-point into Persona was not protected as well as the rest: the bug could have led to someone creating an invalid certificate for a user which Persona could have mistakenly accepted for the purpose of adding an email address to the user's list. Then, this potential attacker exploit could have led the Persona service into producing a valid certificate for another email address by confusing Persona about whether or not the domain of that email address was a proper Identity Provider.
The details of the bug are described on the bugzilla page (https://bugzilla.mozilla.org/show_bug.cgi?id=793579).
Q&A
Who discovered this bug?
Ryan Kelly, one of Mozilla's awesome Services Engineers.
How quickly was it fixed?
The fix was deployed in production within 24 hours of discovery.
Who was affected?
Almost certainly no one. We discovered this bug ourselves and fixed it immediately. We reviewed our database and found no traces of this exploit being performed against real users. The nature of the vulnerability could only potentially allow attacks against individual accounts; as a result there was no impact to the security of web sites using Persona beyond the potential for account compromise, and the vulnerability could only affect one user at a time.
Why wasn't this issue discovered earlier?
This was a complex vulnerability that required the combination of one serious bug and two less serious issues. No system is perfectly secure, but we are constantly working to layer multiple defenses into Persona so that these issues are as rare possible. We are proud to say that, to date, all security issues in Persona have been discovered internally by Mozilla or our close associates.
Why did it take Mozilla so long to report on this issue?
We fixed the issue within 24 hours and determined, within 48 additional hours, that it was very unlikely any real users had been impacted. Rather than rush out a security disclosure, we opted to fully evaluate and understand all angles of the issue. This allowed us to ensure that we hadn't missed any details and increased our confidence that no users had been affected. Because we had confidence early on that users were never affected, we believe this was an acceptable approach. However, we've also decided that, in the future, we will be more prompt with disclosures, even when users have not been affected.
What was the root cause?
Our integrity checks on Persona certificates were not consistently strong: on most API calls, we did the right thing, but on one, we did not. That combined with a couple of other tricks could have led an attacker to forging a certificate for another user.
What is Mozilla doing to further secure Persona given this issue?
All fixed security bugs come with security regression testing to ensure that further code changes do not, in any way, undo the new security defense introduced. In addition, we are spending considerable effort designing a simpler approach to certificate validation, the crux of our system.
Has Mozilla performed a third-party audit of Persona?
We have, and we are in the final stages of analyzing the results. There are no important outstanding issues left to address from that audit, and the results were overall quite positive. We'll be sharing the details of this third-party audit in the very near future.