Help Search

PBL-08 Security audit results


As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the SSO on the API and client side (browser extension and styleguide). Additionally, this audit included a general review of the implementations of the best practices.

Quoting the conclusion of the report: “One can confirm that the focus applications have proven robust against the multitude of attack scenarios instigated from a server and client-side perspective. The ten-day allocation for this examination yielded a total of eight findings, which is a praiseworthy result for the Passbolt team. The volume and severity markers attached to the findings is moderate for a scope of this magnitude. The absence of any major issues - with no Critical-assigned vulnerability in particular - underlines the Passbolt complex’s security strength. Even so, the identified flaws represent a golden opportunity to integrate additional safeguard measures.”

All the issues have been fixed or a mitigation has been implemented as of 10th July 2023.

You can read more about the security audit by reading the full report.

Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their valuable contribution to this project.

Vulnerabilities summary

ID Project Issue name Severity Status
PBL-08-001 Browser Extension Credentials Leakage via Clickjacking High Fixed in v3.11.1
PBL-08-007 Passbolt API SSO-Design prompt=none allows for auth bypass Medium Fixed v4.1
PBL-08-002 Passbolt styleguide Passphrase Retained In Memory Post-Logout Low Fixed v3.11
PBL-08-003 Passbolt API Lack of proper ACL for users Endpoint Low Fixed v3.11
PBL-08-006 Passbolt API 2FA Status Information Disclosure Via users Endpoint Info Fixed v3.11
PBL-08-004 Passbolt API No rate-limiting for 2FA login code Info Fixed v4.1
PBL-08-005 Passbolt API Cross-Origin-related HTTP security headers missing Info Fixed v4.1
PBL-08-008 Passbolt API Lack of explicit CSP on extension manifest Info Fixed v4.1

Last updated

This article was last updated on July 10th, 2023.

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2023-07-10 08:30:00 CET
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!