Browser Extension Vulnerability Report

A security bug was found and fixed in the FlowCrypt Browser Extension.

Affected users: 25

Time from discovery to fix: 1 day

Severity: Medium ($1,000 reward for reporting user - Chris Baker)

Timeline:

  • May 11: the issue was introduced in our code base
  • May 15-20: version 6.7.9 containing the faulty code was released
  • July 31: User discovers the vulnerability and notifies us
  • July 31: We confirm the issue
  • July 31: We take early steps to mitigate the issue
  • Aug 1: We find and fix the issue in our code
  • Aug 1: The fixed extension is released as version 6.9.3
  • Aug 1: We sent the user a bug bounty for the discovery
  • Aug 7: Notifying affected users
  • Sep 5: This public statement

Details:

  • Between May 15 and Aug 1
  • When manually updating Private Key in FlowCrypt Settings -> Additional Settings -> Public Key -> show private key -> update
  • Users were prompted: “Public and private key updated locally. Update public records with new Public Key?”
  • If user clicked “OK”, the software would wrongly submit their ENCRYPTED PRIVATE KEY instead of their PUBLIC KEY to our public key servers
  • Our servers did not proactively check if submitted keys have any private material, and stored them
  • This encrypted private key was then later publicly accessible at https://flowcrypt.com/lookup where normally Public Keys are

Aftermath:

What would need to happen for your message content to get exposed:

  • You would need to be one of the 25 affected users
  • Attacker would need to download your encrypted Private Key from our servers in the time period it was available
  • Attacker would need to also have your pass phrase
  • Attacker would need to also have access to one of your encrypted messages (eg hack into your inbox, or one of your recipient’s inboxes)

All affected users were notified about this by email. While this vulnerability alone could not cause your encrypted content to be exposed, it lowered the security of your Private Key which protects them, if you were one of the affected users. If you have not received an email from us about this, you were not one of the affected users.

To further improve security of our software, we will:

  • soon announce a security bounty program with rewards ranging up to USD $5,000 per report
  • review our internal security practices to look for improvements in our development process, code reviews and testing
  • hire an external security firm to go through all of our source code and look for security issues

Your comments are welcome at human@flowcrypt.com

If software security is your thing, we have an open position for a remote security engineer / pen tester. Write us at human@flowcrypt.com