Passbolt Extension version 1.6.6 is vulnerable to an information leakage during the setup.
Impact of issue
Passphrase disclosure in the browser’s local storage between the key generation phase until the end of the setup.
Attack vector / exploitation
An attacker having an access to the user file system during the extension setup, in the scenario where the key is generated by the extension (as opposed to being imported), at the time between the key generation step and the completion, could read the passphrase directly from the local storage. This information could be used to log in into passbolt on behalf of the user and access / decrypt the secrets, therefore creating data confidentiality, integrity and availability issues.
This issue was found and reported by Juan Wajnerman.
How did this happen?
Passbolt web extension use the local storage to store information about the setup so that a user that close the browser window can come back at a later stage to complete the setup instead of starting from scratch.
How bad is this?
From our perspective since the attacker requires an already high privilege in order to access to the local storage of the browser via the file system, and that this information is available only temporarily (e.g. it is removed when the setup is completed), we consider that the exploitability of this vulnerability is low. However considering the high impact and since this vulnerability can be mitigated we decided to act on it.
What are you doing about it?
From version 1.6.7 onward a user will not be able to continue the setup after closing the browser window and will have to start the process from scratch starting by clicking on the setup link in their mailbox.
- 2017-10-13 04:40:00 CET: Juan Wajnerman notify passbolt team about the issue.
- 2017-10-13 08:00:00 CET: Passbolt team starts working on an impact assessment.
- 2017-10-13 08:50:00 CET: Passbolt team notify Juan and starts working on afix.
- 2017-10-13 10:40:00 CET: v.1.6.7 is being tested on continuous integration servers.
- 2017-10-13 12:00:00 CET: v.1.6.7 submitted on chrome webstore and firefox add-ons.
- 2017-10-13 12:00:00 CET: This incident report is published.