Group Billing Login Vulnerability Report

A security vulnerability was found and fixed in the group billing login page. It was discovered that if an attacker attempted to login as a target, and the target unwittingly confirms the attempt via the verification email, then the attacker can access the target’s billing settings at flowcrypt.com/billing. Credit card information is not exposed there as it’s handled by our payment processor separately.

We’ve fixed this by switching authentication to OIDC, disabling original authentication methods on our backend, and invalidating sessions that had been authenticated without OIDC.

Hours from discovery to fix: 12

Severity: Medium (1,200 euro reward for reporter)

Timeline:

  • Nov 12 2017: Group billing page added to FlowCrypt (with vulnerability)
  • Oct 17 2020: Bug bounty hunter discovers and reports the vulnerability
  • Oct 17 2020: We confirm the issue
  • Oct 17 2020: We switch authentication to oidc only
  • Oct 17 2020: We invalidate potentially affected authentication tokens
  • Oct 18 2020: We publish this public announcement

Impact

To be affected by this, you’d have to have clicked a group billing login verification email confirmation for a login you didn’t actually initiate. As far as we know, no users were impacted by this. Nevertheless, we expired all sessions that had been authenticated by this mechanism, just in case. If you do have any reason to believe you may have been impacted by this, please contact security@flowcrypt.com.

We are immensely grateful to the security researcher who responsibly disclosed this bug. For a catalogue of all vulnerabilities that have been found and fixed in FlowCrypt to date, you can consult the FlowCrypt Vulnerabilities Catalogue.


If you want to get rewarded for finding security bugs in FlowCrypt, check out our Bug Bounty Program!