Group Billing Login Vulnerability Report

A security vulnerability was discovered and fixed in the group billing login page. It was found that if an attacker attempted to log in as a target, and the target unwittingly confirmed the attempt via the verification email, then the attacker could gain access to the target’s billing settings at flowcrypt.com/billing (removed page). However, the credit card information isn’t exposed there, as it’s handled by our payment processor separately.

We’ve fixed this by switching authentication to OIDC, disabling original authentication methods on our backend, and invalidating sessions that had been authenticated without OIDC.

Hours from discovery to fix: 12

Severity: Medium (EUR 1 200 reward for reporter)

Timeline:

  • Nov 12, 2017: Group billing page added to FlowCrypt (with vulnerability).
  • Oct 17, 2020: Bug bounty hunter discovers and reports the vulnerability.
  • Oct 17, 2020: We confirm the issue.
  • Oct 17, 2020: We switch authentication to OIDC only.
  • Oct 17, 2020: We invalidate potentially affected authentication tokens.
  • Oct 18, 2020: We publish this public announcement.

Impact:

To be affected by this, you’d have to have clicked a group billing login verification email confirmation for a login you didn’t actually initiate. As far as we know, no users were impacted by this. Nevertheless, we’ve expired all sessions that had been authenticated by this mechanism, just in case.

We’re immensely grateful to the security researcher who responsibly disclosed this bug! For a catalog of all vulnerabilities that have been found and fixed in FlowCrypt to date, you can view the FlowCrypt Vulnerabilities Catalog.