PBL-11 Security audit results

Introduction

In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application's native layer. This review revealed a total of five findings—four security vulnerabilities and one general weakness—which were all solved prior to the v1.0 release.

Quotes from the conclusion of the report:

“Upon completion of this security audit, Cure53 gained a strong impression of the security premise employed by the Passbolt team. The quality of the codebase was generally impressive, while the architecture and frameworks employed generally installed resilient design paradigms.”

In addition to the detailed findings of this audit, the security incident section also houses separate reports that examine the browser extensions. Interestingly, some of the code of the extension is also used in the Desktop application, and will give more details on other components of this application.

All the issues have been fixed or mitigations have been implemented as of 11th April 2024.

You can read more about the security audit by reading the full report.

A big thank you from the Passbolt team to Cure53 for their collaborative spirit and expertise shared during this project.

Vulnerabilities summary

IDIssue nameSeverityStatus
PBL-11-001Insecure Regex pattern allows canNavigate bypassMediumMitigated in v1.0
PBL-11-002PasswordVault can be accessed by Desktop appsLowMitigated in v1.0
PBL-11-003JS execution by modifying LocalFolder ResourcesLowMitigated in v1.0
PBL-11-004Insecure CSP Configuration in renderersLowMitigated in v1.0
PBL-11-005Arbitrary requestId used as topic in backgroundMediumMitigated in v1.0