Introduction
As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the SSO on the API and client side (browser extension and styleguide).
Additionally, this audit included a general review of the implementations of the best practices.
Quoting the conclusion of the report:
"One can confirm that the focus applications have proven robust against the multitude of attack scenarios instigated from a server and client-side perspective. The ten-day allocation for this examination yielded a total of eight findings, which is a praiseworthy result for the Passbolt team. The volume and severity markers attached to the findings is moderate for a scope of this magnitude. The absence of any major issues - with no Critical-assigned vulnerability in particular - underlines the Passbolt complex’s security strength. Even so, the identified flaws represent a golden opportunity to integrate additional safeguard measures."
All the issues have been fixed or a mitigation has been implemented as of 10th July 2023.
You can read more about the security audit by reading the full report.
Passbolt team would like to express a warm thank you to the security researchers from Cure53 team for their valuable contribution to this project.
Vulnerabilities summary
| ID | Project | Issue name | Severity | Status |
|---|---|---|---|---|
| PBL-08-001 | Browser Extension | Credentials Leakage via Clickjacking | High | Fixed in v3.11.1 |
| PBL-08-007 | Passbolt API | SSO-Design prompt=none allows for auth bypass | Medium | Fixed v4.1 |
| PBL-08-002 | Passbolt styleguide | Passphrase Retained In Memory Post-Logout | Low | Fixed v3.11 |
| PBL-08-003 | Passbolt API | Lack of proper ACL for users Endpoint | Low | Fixed v3.11 |
| PBL-08-006 | Passbolt API | 2FA Status Information Disclosure Via users Endpoint | Info | Fixed v3.11 |
| PBL-08-004 | Passbolt API | No rate-limiting for 2FA login code | Info | Fixed v4.1 |
| PBL-08-005 | Passbolt API | Cross-Origin-related HTTP security headers missing | Info | Fixed v4.1 |
| PBL-08-008 | Passbolt API | Lack of explicit CSP on extension manifest | Info | Fixed v4.1 |
