Introduction
In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application's native layer. This review revealed a total of five findings—four security vulnerabilities and one general weakness—which were all solved prior to the v1.0 release.
Quotes from the conclusion of the report:
“Upon completion of this security audit, Cure53 gained a strong impression of the security premise employed by the Passbolt team. The quality of the codebase was generally impressive, while the architecture and frameworks employed generally installed resilient design paradigms.”
In addition to the detailed findings of this audit, the security incident section also houses separate reports that examine the browser extensions. Interestingly, some of the code of the extension is also used in the Desktop application, and will give more details on other components of this application.
All the issues have been fixed or mitigations have been implemented as of 11th April 2024.
You can read more about the security audit by reading the full report.
A big thank you from the Passbolt team to Cure53 for their collaborative spirit and expertise shared during this project.
Vulnerabilities summary
| ID | Issue name | Severity | Status |
|---|---|---|---|
| PBL-11-001 | Insecure Regex pattern allows canNavigate bypass | Medium | Mitigated in v1.0 |
| PBL-11-002 | PasswordVault can be accessed by Desktop apps | Low | Mitigated in v1.0 |
| PBL-11-003 | JS execution by modifying LocalFolder Resources | Low | Mitigated in v1.0 |
| PBL-11-004 | Insecure CSP Configuration in renderers | Low | Mitigated in v1.0 |
| PBL-11-005 | Arbitrary requestId used as topic in background | Medium | Mitigated in v1.0 |
