Dr.-Ing. Mario Heiderich, Cure53
Rudolf Reusch Str. 33
D 10367 Berlin
Conclusion
This security assessment of Mozilla FxA, which was conducted by seven members of
the Cure53 team in autumn of 2016, managed to unveil a total of fifteen findings.
Given the amount of the audited code and the complexity of the project, this number of
findings classifies as low and translates to an overall positive result of the investigations.
It has to be reiterated that the tests encompassed a full code audit and covered all
relevant parts of the Mozilla FxA ecosystem, meaning that there were no major time
constraints on the part of the Cure53 testers. Despite the fact that the tests were as
thorough as possible on the codebase placed in scope, only a single “Critical” finding
was ultimately spotted. Even though this issue was discovered early on in the test, no
major design issues were identified. Ultimately, the platform was perceived as rather
robust and secured against a wide range of different attacks.
Focusing on more detailed technical discoveries, it appears that the majority of the
design issues stem from the fact that certain processes have not yet been fully
implemented thus far, as evidenced by the mechanism behind the FXA-01-008. The
attempts were therefore made to identify vulnerability patterns and determined where the
weaknesses were most commonly located. Against this background assessment,
suggestions can be made as to how to improve the general level of security offered by
the platform.. Aside from the XSS problems in several unexpected places, no actually
pronounced pattern was visible, again speaking volumes about the security dedication of
the platform maintainers. Nevertheless, it must aid further development to list the
aspects on which special focus was placed during the test.
The items and tasks illustrating the progress and coverage of this test were the
following:
• Analyzing client-side JavaScript files for insecure usage of eval, Function
constructor, DOMXSS and other vulnerabilities. Additional focus on checking for
insecure usage of client-side JavaScript framework code.
• Checking whether user-controlled data is used in the constructor due to the fact
that this can lead to a memory leaks in the application using Buffers.
• Analyzing the image upload endpoint, specifically with regard to checking for
either SSRF or rogue images being allowed. The implemented checks prohibit
non JPEG/PNG images.
• Examining authorization and authentication of profiles, e.g. setting names of
other profiles, account overtake via email overwrite or password reset
functionality, as well as possibility to set passwords without knowing the old
account password.
Cure53, Berlin · 10/10/16 17/18