Browser Extension Security Audit

The talented folks at Cure53 have once again lent their expertise to keeping FlowCrypt’s community safe with a thorough security audit of the FlowCrypt Browser Extension. We were glad to learn that no high severity vulnerabilities had been found. Nevertheless, as a company centered around strengthening privacy and security for our clients, any security concerns are resolved swiftly and treated with the utmost gravity. We are proud to present you with a list of what was uncovered in the report and how we handled it.

Additionally, you can read the original report in its entirety as a PDF.

Vulnerabilities and Fixes

FLO-02-002 Extension: Clickjacking on web accessible resources (Medium)

The file compose.htm could be embedded into a third party resource, potentially tricking users into unknowingly sending an email via FlowCrypt. We addressed this by implementing a Content Security Policy HTTP header that instructs browsers not to include any of our content in unknown 3rd party iframes.

Fix on Github.

FLO-02-004 Extension: HTML Injection in error message on certain pages (Low)

If a certain API received an HTML element as input, it would display an error that rendered the HTML. Although the HTML tags were limited to a ‘safe’ subset (excluding, for example, XSS), this nevertheless is not desirable behavior.

Fix on Github

FLO-02-005 Extension: Path traversal to Google API calls via msgId (Low)

One of the parameters we passed to Gmail could be traversed upwards, which would cause FlowCrypt to make a request to a different resource than what should be allowed. This was fixed by verifying the affected parameter.

Fix on Github.

FLO-02-006 Extension: CSS sanitization can be bypassed (Low)

Previously our style tag sanitization cleaned uses of the url() function with case sensitivity. Therefore, the sanitization could be circumvented by capitalizing any of the letters in the function’s name.

Fix on Github.

What We Learned

Overall, we were overjoyed to be able to apply the wisdom gleaned from Cure53’s audit towards building an ever more secure FlowCrypt. The lack of high severity issues was a relief, but we perceive any security weakness as our top priority. That’s why we will continue to partner with the best offensive security firms to help you keep your communications private.

Our transparency means you stay informed of your security and privacy. Keep an eye out for more security bug fixes and reports, as well as our upcoming bug bounty program.

– The FlowCrypt Security Team