PBL-08 Security audit results
As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the SSO on the API and client side (browser extension and styleguide). Additionally, this audit included a general review of the implementations of the best practices.
Quoting the conclusion of the report: “One can confirm that the focus applications have proven robust against the multitude of attack scenarios instigated from a server and client-side perspective. The ten-day allocation for this examination yielded a total of eight findings, which is a praiseworthy result for the Passbolt team. The volume and severity markers attached to the findings is moderate for a scope of this magnitude. The absence of any major issues - with no Critical-assigned vulnerability in particular - underlines the Passbolt complex’s security strength. Even so, the identified flaws represent a golden opportunity to integrate additional safeguard measures.”
All the issues have been fixed or a mitigation has been implemented as of 10th July 2023.
You can read more about the security audit by reading the full report.
Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their valuable contribution to this project.
|PBL-08-001||Browser Extension||Credentials Leakage via Clickjacking||High||Fixed in v3.11.1|
|PBL-08-007||Passbolt API||SSO-Design prompt=none allows for auth bypass||Medium||Fixed v4.1|
|PBL-08-002||Passbolt styleguide||Passphrase Retained In Memory Post-Logout||Low||Fixed v3.11|
|PBL-08-003||Passbolt API||Lack of proper ACL for users Endpoint||Low||Fixed v3.11|
|PBL-08-006||Passbolt API||2FA Status Information Disclosure Via users Endpoint||Info||Fixed v3.11|
|PBL-08-004||Passbolt API||No rate-limiting for 2FA login code||Info||Fixed v4.1|
|PBL-08-005||Passbolt API||Cross-Origin-related HTTP security headers missing||Info||Fixed v4.1|
|PBL-08-008||Passbolt API||Lack of explicit CSP on extension manifest||Info||Fixed v4.1|
This article was last updated on July 10th, 2023.