All incidents

Spell-jacking on Google Chrome and Microsoft Edge

Summary

  • CVE: N/A
  • Product affected: API (Pro and CE) and the browser extension
  • Version affected: every version under v3.7.3
  • Version fixed: v3.7.3
  • Affected component: All form inputs.
  • Vulnerability Type: spell-jacking
  • Severity: N/A

Problem

  • Account
    • OTP
    • passphrase
    • private key
    • security token
  • Navigation
    • Text in the search bar
  • Passwords
    • Passwords metadata
    • Passwords secrets
    • Comments
    • Password generators metadata
    • Share password search text content
  • Passwords import/export
    • Keepass file password
  • Groups
    • Groups name
    • Add group user search text content
  • Folders
    • Folders name
    • Share folder search text content
  • Tags
    • Tags name
    • Edit password tags text content
  • Administration settings
    • MFA settings except salt and secret keys
    • User directory (LDAP) settings except auth password field
    • Passbolt Pro subscription key
    • Organization account recovery public and private recovery key and relative settings (including passphrase)

Who’s impacted

Fix

Event Timeline

  • 20/09/2022 15:30: Spell-jacking issue is discovered.
  • 21/09/2022 09:00: A fix is implemented.
  • 26/09/2022: Extension v3.7.3 shipping with the fix is published.
  • 27/09/2022: API v3.7.3 shipping with the fix is published.

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2022-09-26 14:10:00 CET
Flag of European UnionMade in Europe. Privacy by default.
Passbolt Security Incident Report: vulnerability - September 20th, 2022