Help Search

PBL-06 Security audit results

Introduction

As part of the security audit of the mobile application, Cure53 team, found 8 issues that have been solved with v3.5. This audit concerned all the changes related to the implementation of the mobile features for the API as well as both Android and iOS mobile applications. Additionally, this audit included a review of the community driven project “go-passbolt-cli”.

The issues are only applicable for users participating in the mobile beta, as flagged in the previous incident report which targeted release 3.3.1 containing an immediate fix for the only “High” ranked issue.

All the issues have been fixed or a mitigation has been implemented as of 19th Jan 2022.

You can read more about the security audit by reading the full report.

Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their collaboration on this project. We would also like to thank Samuel Lorch for rolling out fixes promptly for go-passbolt-cli.

Vulnerabilities summary

ID Project Issue name Severity Status
PBL-06-001 Android Fingerprint bypass via activity invocation Low Mitigated (1)
PBL-06-002 iOS Possible leaks & Phishing via URL scheme hijacking Medium Fixed in v1.3
PBL-06-005 Android Account information access via debug messages Medium Fixed in v1.1
PBL-06-006 iOS Missing jailbreak detection on iOS Medium Fixed in v1.3
PBL-06-007 Android Missing root detection in Android Medium Fixed in v1.3
PBL-06-008 API JWT key confusion leads to authentication bypass High Fixed in v3.3.1
PBL-06-009 GO CLI (Community) Improper file permissions for configuration file High Fixed in v0.1.4
PBL-06-008 API Email HTML injection in JWT attack notifications High Fixed v3.5

(1) Note PBL-06-001 WP1: Fingerprint bypass via activity invocation (LOW)

Here are some additional information for the issue marked as mitigated. From the report:

“The Android app implements a feature whereby the app locks itself when the user switches to another app. It requires the user to enter the passphrase or the fingerprint in order to continue accessing the authenticated portion of the application. However, it was found that this feature can be trivially bypassed by invoking the MainActivity via an ADB command. This finding does not allow the attacker to view the passwords in plain-text and it can only be leveraged until the currently allocated JWT token expires (its lifetime from creation is five minutes).”

According to our test it is not possible to run ADB commands using stock androids. We were able to reproduce the issue on Lineage OS if the user enable “rooted debugging” in the developer option (which requires pin entry). Currently, Android passbolt app will display a notification if the device is considered rooted, which includes this flag. It is the responsibility of the user to either not use a rooted devices or accept the potential issues.

In Q1 2022 the team will refactor the application to prevent that a fingerprint check can be bypassed by invoking another activity directly.

Miscellaneous issues

Additionally, the following issues where reported. While they are not considered as vulnerabilities as such, they have been reviewed and will be addressed in the future if they are not already fixed.

  • PBL-06-003: Android app hardening recommendations (Fixed v1.3)
  • PBL-06-004: Android binary hardening recommendations (In review)
  • PBL-06-011: Missing ACL checks on TransfersView controller (Fixed v3.5)
  • PBL-06-012: URL path traversal via command line flags (Open)
  • PBL-06-013: Improper escaping of resource fields (Fixed v0.1.5)
  • PBL-06-014: Server packages with known vulnerabilities (Process already in place)
  • PBL-06-015: Missing private key revocation process (In backlog)

Last updated

This article was last updated on January 19th, 2022.

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2022-01-19 08:30:00 CET
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!