Introduction
As part of the security audit of the mobile application, Cure53 team, found 8 issues that have been solved with v3.5. This audit concerned all the changes related to the implementation of the mobile features for the API as well as both Android and iOS mobile applications. Additionally, this audit included a review of the community driven project "go-passbolt-cli".
The issues are only applicable for users participating in the mobile beta, as flagged in the previous incident report which targeted release 3.3.1 containing an immediate fix for the only "High" ranked issue.
All the issues have been fixed or a mitigation has been implemented as of 19th Jan 2022.
You can read more about the security audit by reading the full report.
Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their collaboration on this project. We would also like to thank Samuel Lorch for rolling out fixes promptly for go-passbolt-cli.
Vulnerabilities summary
| ID | Project | Issue name | Severity | Status |
|---|---|---|---|---|
| PBL-06-001 | Android | Fingerprint bypass via activity invocation | Low | Mitigated (1) |
| PBL-06-002 | iOS | Possible leaks & Phishing via URL scheme hijacking | Medium | Fixed in v1.3 |
| PBL-06-005 | Android | Account information access via debug messages | Medium | Fixed in v1.1 |
| PBL-06-006 | iOS | Missing jailbreak detection on iOS | Medium | Fixed in v1.3 |
| PBL-06-007 | Android | Missing root detection in Android | Medium | Fixed in v1.3 |
| PBL-06-008 | API | JWT key confusion leads to authentication bypass | High | Fixed in v3.3.1 |
| PBL-06-009 | GO CLI (Community) | Improper file permissions for configuration file | High | Fixed in v0.1.4 |
| PBL-06-008 | API | Email HTML injection in JWT attack notifications | High | Fixed v3.5 |
(1) Note PBL-06-001 WP1: Fingerprint bypass via activity invocation (LOW)
Here are some additional information for the issue marked as mitigated. From the report:
"The Android app implements a feature whereby the app locks itself when the user switches to another app.
It requires the user to enter the passphrase or the fingerprint in order to continue accessing the authenticated portion of the application. However, it was found that this feature can be trivially bypassed by invoking the MainActivity via an ADB command. This finding does not allow the attacker to view the passwords in plain-text and it can only be leveraged until the currently allocated JWT token expires (its lifetime from creation is five minutes)."
According to our test it is not possible to run ADB commands using stock androids. We were able to reproduce the issue on Lineage OS if the user enable "rooted debugging" in the developer option (which requires pin entry).
Currently, Android passbolt app will display a notification if the device is considered rooted, which includes this flag.
It is the responsibility of the user to either not use a rooted devices or accept the potential issues.
In Q1 2022 the team will refactor the application to prevent that a fingerprint check can be bypassed by invoking another activity directly.
Miscellaneous issues
Additionally, the following issues where reported. While they are not considered as vulnerabilities as such, they have been reviewed and will be addressed in the future if they are not already fixed.
- PBL-06-003: Android app hardening recommendations (Fixed v1.3)
- PBL-06-004: Android binary hardening recommendations (In review)
- PBL-06-011: Missing ACL checks on TransfersView controller (Fixed v3.5)
- PBL-06-012: URL path traversal via command line flags (Open)
- PBL-06-013: Improper escaping of resource fields (Fixed v0.1.5)
- PBL-06-014: Server packages with known vulnerabilities (Process already in place)
- PBL-06-015: Missing private key revocation process (In backlog)
