Browser Extension Security Audit

The talented folks at Cure53 have once again lent their expertise to keeping FlowCrypt’s community safe with a thorough security audit of the FlowCrypt Browser Extension. We were glad to learn that no high-severity vulnerabilities had been found. Nevertheless, as a company centered around strengthening privacy and security for our clients, any security concerns are resolved swiftly and treated with the utmost gravity. We’re proud to present you with a list of what was uncovered in the report and how we handled it.

Additionally, you can read the original report in its entirety as a PDF

Vulnerabilities and fixes

Here are the vulnerabilities and implementation issues that the Cure53 team found during the assessment briefly:

FLO-02-002 Extension: Clickjacking on web-accessible resources (Medium).

The file compose.htm could be embedded into a third-party resource, potentially tricking users into unknowingly sending an email via FlowCrypt. We addressed this by implementing a Content Security Policy HTTP header that instructs browsers not to include any of our content in unknown third-party iframes.

Fix on GitHub

FLO-02-004 Extension: HTML Injection in an error message on certain pages (Low)

If a certain API received an HTML element as input, it would display an error that rendered the HTML. Although the HTML tags were limited to a ‘safe’ subset (excluding, for example, XSS), this behavior was still not desirable.

Fix on GitHub

FLO-02-005 Extension: Path traversal to Google API calls via msgId (Low)

One of the parameters we passed to Gmail could be traversed upwards, which could have caused FlowCrypt to make a request to a different resource than what should be allowed. This has been fixed by verifying the affected parameter.

Fix on GitHub

FLO-02-006 Extension: CSS sanitization can be bypassed (Low)

Previously our style tag sanitization cleaned uses of the url() function with case sensitivity. Therefore, the sanitization could be circumvented by capitalizing any of the letters in the function’s name.

Fix on GitHub

What we learned

Overall, we were overjoyed to be able to apply the wisdom gleaned from Cure53’s audit towards building an ever more secure FlowCrypt. The lack of high-severity issues was a relief, but we perceive any security weakness as our top priority. That’s why we’ll continue to partner with the best offensive security firms to help you keep your communications private.

Our transparency means you stay informed of your security and privacy. Keep an eye out for more security bug fixes and reports, as well as our upcoming bug bounty program.


FlowCrypt Security Team