Passbolt security audit 2021 - Part 2

Passbolt team is proud to share with the community the results of the second part of our annual security audit. While the first part focused on the overall architecture of the solution and the whitepaper, this second part focused on the webextensions.

Like the previous audit, this one was conducted for a duration of one week by the team of Cure53, composed of Dr.-Ing. M. Heiderich, Dr. N. Kobeissi, BSc. T.-C. “Filedescriptor” Hong, on the source code of what would become the version 3.2 of the extension.

Without further ado, let’s jump directly to the conclusion of the report:

All in all, Passbolt WebExtension gives a good impression in terms of both code quality and security. Similarly positive verdict can be maintained for the implementation of the already audited cryptography. The Passbolt extension stands strong and the audit and pentest did not manage to unveil any serious severity bugs, whereas the overall number of problems is also limited to just two minor flaws. This is a very good result, especially after a rather high number of findings exposed in PBL-01. It is apparent that the development team has a good grasp of both the web and browser security and cryptography. This comes as no surprise given the vast experience they have gained through past projects. From the perspective of security and privacy, Passbolt can be judged as a praiseworthy, production-ready browser extension.

As always, you can access and read the full report.

As mentioned above the audit yielded one vulnerability and one finding of low impact. This issue has been fixed with version v3.2.1 released at the end of May 2021. Long story short this vulnerability is related to suggestions that can be made wrongly for domains that do not have TLDs. Typically this is the case for intranet domains, e.g. https://email would be suggested when someone visits https://titan.email.

Another finding, which the passbolt team already knew about, is the lack of CSRF protection on the logout action. It is possible for an attacker knowing the passbolt domain of a given user to craft a link to trigger a logout. This can cause at best an annoyance to some users. Since fixing this would break backward compatibility, we will introduce a secure logout endpoint in passbolt v3 and remove the old endpoint in v4.

The next stop will be a pentest of the server components. We expect to share the results of this upcoming audit in the course of summer 2021. In the meantime we would like to take the opportunity to thank the team of Cure53 for their work as well as Thomas Oberndörfer from Mailvelope, who helped us prepare for this audit.

Feel free to reach out at [email protected] if you have more questions, or in the comments section below.