Status: fixed with v1.6.7

Summary

Passbolt Extension version 1.6.6 is vulnerable to an information leakage during the setup.

  • CVE: TBD.
  • Product affected: Passbolt Extension.
  • Version affected: v1.6.6 and below.
  • Version fixed: v1.6.7
  • Affected component: Web extension private key passphrase entered before key generation.
  • Vulnerability Type: Information leakage.
  • Impact of issue

    Passphrase disclosure in the browser’s local storage between the key generation phase until the end of the setup.

    Attack vector / exploitation

    An attacker having an access to the user file system during the extension setup, in the scenario where the key is generated by the extension (as opposed to being imported), at the time between the key generation step and the completion, could read the passphrase directly from the local storage. This information could be used to log in into passbolt on behalf of the user and access / decrypt the secrets, therefore creating data confidentiality, integrity and availability issues.

    Credits

    This issue was found and reported by Juan Wajnerman.

    Other information

    How did this happen?

    Passbolt web extension use the local storage to store information about the setup so that a user that close the browser window can come back at a later stage to complete the setup instead of starting from scratch.

    How bad is this?

    From our perspective since the attacker requires an already high privilege in order to access to the local storage of the browser via the file system, and that this information is available only temporarily (e.g. it is removed when the setup is completed), we consider that the exploitability of this vulnerability is low. However considering the high impact and since this vulnerability can be mitigated we decided to act on it.

    What are you doing about it?

    From version 1.6.7 onward a user will not be able to continue the setup after closing the browser window and will have to start the process from scratch starting by clicking on the setup link in their mailbox.

    Current status:

    1. Try first to reproduce the issue
    2. Acknowledge to the reporter
    3. Get a fix/patch prepared
    4. Release new version.
    5. Prepare a report about the issue.
    6. Feature the problem in the release.
    Last updated: 2017-10-13 12:00:00 CET

    Event timeline

    • 2017-10-13 04:40:00 CET: Juan Wajnerman notify passbolt team about the issue.
    • 2017-10-13 08:00:00 CET: Passbolt team starts working on an impact assessment.
    • 2017-10-13 08:50:00 CET: Passbolt team notify Juan and starts working on afix.
    • 2017-10-13 10:40:00 CET: v.1.6.7 is being tested on continuous integration servers.
    • 2017-10-13 12:00:00 CET: v.1.6.7 submitted on chrome webstore and firefox add-ons.
    • 2017-10-13 12:00:00 CET: This incident report is published.