PBL-08 Security audit results

Introduction

As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the SSO on the API and client side (browser extension and styleguide).
Additionally, this audit included a general review of the implementations of the best practices.

Quoting the conclusion of the report:

"One can confirm that the focus applications have proven robust against the multitude of attack scenarios instigated from a server and client-side perspective. The ten-day allocation for this examination yielded a total of eight findings, which is a praiseworthy result for the Passbolt team. The volume and severity markers attached to the findings is moderate for a scope of this magnitude. The absence of any major issues - with no Critical-assigned vulnerability in particular - underlines the Passbolt complex’s security strength. Even so, the identified flaws represent a golden opportunity to integrate additional safeguard measures."

All the issues have been fixed or a mitigation has been implemented as of 10th July 2023.

You can read more about the security audit by reading the full report.

Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their valuable contribution to this project.

Vulnerabilities summary