PBL-06 Security audit results

Introduction

As part of the security audit of the mobile application, Cure53 team, found 8 issues that have been solved with v3.5. This audit concerned all the changes related to the implementation of the mobile features for the API as well as both Android and iOS mobile applications. Additionally, this audit included a review of the community driven project "go-passbolt-cli".

The issues are only applicable for users participating in the mobile beta, as flagged in the previous incident report which targeted release 3.3.1 containing an immediate fix for the only "High" ranked issue.

All the issues have been fixed or a mitigation has been implemented as of 19th Jan 2022.

You can read more about the security audit by reading the full report.

Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their collaboration on this project. We would also like to thank Samuel Lorch for rolling out fixes promptly for go-passbolt-cli.

Vulnerabilities summary

IDProjectIssue nameSeverityStatus
PBL-06-001AndroidFingerprint bypass via activity invocationLowMitigated (1)
PBL-06-002iOSPossible leaks & Phishing via URL scheme hijackingMediumFixed in v1.3
PBL-06-005AndroidAccount information access via debug messagesMediumFixed in v1.1
PBL-06-006iOSMissing jailbreak detection on iOSMediumFixed in v1.3
PBL-06-007AndroidMissing root detection in AndroidMediumFixed in v1.3
PBL-06-008APIJWT key confusion leads to authentication bypassHighFixed in v3.3.1
PBL-06-009GO CLI (Community)Improper file permissions for configuration fileHighFixed in v0.1.4
PBL-06-008APIEmail HTML injection in JWT attack notificationsHighFixed v3.5

(1) Note PBL-06-001 WP1: Fingerprint bypass via activity invocation (LOW)

Here are some additional information for the issue marked as mitigated. From the report:

"The Android app implements a feature whereby the app locks itself when the user switches to another app.
It requires the user to enter the passphrase or the fingerprint in order to continue accessing the authenticated portion of the application. However, it was found that this feature can be trivially bypassed by invoking the MainActivity via an ADB command. This finding does not allow the attacker to view the passwords in plain-text and it can only be leveraged until the currently allocated JWT token expires (its lifetime from creation is five minutes)."

According to our test it is not possible to run ADB commands using stock androids. We were able to reproduce the issue on Lineage OS if the user enable "rooted debugging" in the developer option (which requires pin entry).
Currently, Android passbolt app will display a notification if the device is considered rooted, which includes this flag.
It is the responsibility of the user to either not use a rooted devices or accept the potential issues.

In Q1 2022 the team will refactor the application to prevent that a fingerprint check can be bypassed by invoking another activity directly.

Miscellaneous issues

Additionally, the following issues where reported. While they are not considered as vulnerabilities as such, they have been reviewed and will be addressed in the future if they are not already fixed.

  • PBL-06-003: Android app hardening recommendations (Fixed v1.3)
  • PBL-06-004: Android binary hardening recommendations (In review)
  • PBL-06-011: Missing ACL checks on TransfersView controller (Fixed v3.5)
  • PBL-06-012: URL path traversal via command line flags (Open)
  • PBL-06-013: Improper escaping of resource fields (Fixed v0.1.5)
  • PBL-06-014: Server packages with known vulnerabilities (Process already in place)
  • PBL-06-015: Missing private key revocation process (In backlog)

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2019-08-07 16:00:00 CET