PBL-08 Security audit results


As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the SSO on the API and client side (browser extension and styleguide).
Additionally, this audit included a general review of the implementations of the best practices.

Quoting the conclusion of the report:

"One can confirm that the focus applications have proven robust against the multitude of attack scenarios instigated from a server and client-side perspective. The ten-day allocation for this examination yielded a total of eight findings, which is a praiseworthy result for the Passbolt team. The volume and severity markers attached to the findings is moderate for a scope of this magnitude. The absence of any major issues - with no Critical-assigned vulnerability in particular - underlines the Passbolt complex’s security strength. Even so, the identified flaws represent a golden opportunity to integrate additional safeguard measures."

All the issues have been fixed or a mitigation has been implemented as of 10th July 2023.

You can read more about the security audit by reading the full report.

Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their valuable contribution to this project.

Vulnerabilities summary

IDProjectIssue nameSeverityStatus
PBL-08-001Browser ExtensionCredentials Leakage via ClickjackingHighFixed in v3.11.1
PBL-08-007Passbolt APISSO-Design prompt=none allows for auth bypassMediumFixed v4.1
PBL-08-002Passbolt styleguidePassphrase Retained In Memory Post-LogoutLowFixed v3.11
PBL-08-003Passbolt APILack of proper ACL for users EndpointLowFixed v3.11
PBL-08-006Passbolt API2FA Status Information Disclosure Via users EndpointInfoFixed v3.11
PBL-08-004Passbolt APINo rate-limiting for 2FA login codeInfoFixed v4.1
PBL-08-005Passbolt APICross-Origin-related HTTP security headers missingInfoFixed v4.1
PBL-08-008Passbolt APILack of explicit CSP on extension manifestInfoFixed v4.1

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2023-07-10 08:30:00 CET