Autofill Suggestions

Bug Bounty: Autofill suggestions logic flaw

As part of Passbolt Bug Bounty program, security researcher René Kroka reported a new vulnerability affecting the extension.

A fix has been automatically rolled out as part of the web extension auto update mechanism. If you have disabled automatic updates, please update your extension manually.

Summary

Description

An attacker can craft a malicious page and URL so that the user is tricked into using passbolt to autofill some credentials on the wrong domain.

Prior to v2.11.2 Passbolt Extension an attacker, for example, could create a page with the following url: https://attacker.com/?https://valid-domain.com&https://valid-domain2.com Passbolt would wrongfully suggest the valid domain as part of the suggestions of credentials that could be used on the given url.

Impact of issue

An attacker could use this flaw as part of a larger phishing campaign to capture a given user credential, or credentials one domain at a time. To our perspective the impact is limited by the fact that it requires two manual user interactions. Moreover passbolt never autofills credentials without a user confirmation.

Fix

Passbolt since v2.11.2 checks if the domain of the current url tab is matching the domain of the credentials stored in passbolt. If a subdomain is defined in the credential stored in passbolt, the suggestion will only be presented for that given subdomain (e.g. mail.app.com will not be suggested for calendar.app.com). If no subdomain is defined in the credential stored in passbolt all subdomain urls will be matched as valid for suggestions (e.g. app.com will be suggested for mail.app.com).

Event timeline

• 2019-11-17: Security researcher notifies passbolt team about the issue.
• 2019-11-17: Passbolt acknowledges the issue and start working on a fix.
• 2019-11-20: Fix is ready and included as part of v2.11.2 release UAT.
• 2019-11-21: Passbolt publishes a fix.