FlowCrypt’s security culture is built around aggressively rooting out security weaknesses. Whether it’s our own team scouring the codebase for new weaknesses, partnering with top security firms in Europe to audit our projects, or paying out bug bounties to security researchers, we take pride in swiftly and thoroughly working to maintain the privacy of our users.
Below is a chronological list of fixed vulnerabilities that have been found in FlowCrypt. We hope this list can be useful for security researchers to see what’s already been done, as much as for users and customers seeking insight into how FlowCrypt responds to security issues.
We’d like to thank and show our gratitude to the security researchers for their contribution to helping us make our software more secure.
Vulnerabilities
| Issue | Discovery |
|---|---|
| FLO-01-01: Mitigate efail attacks | 2018-05-14 by Tom Fix: The same day by Tom |
| FLO-01-03: Attester update public key could leak certain private keys | 2019-08-01 by Chris Baker (EUR 850) Fix: 1 day by Tom |
| FLO-01-05: Add OAuth CSRF token | 2019-09-26 by Tom Fix: The same day by Tom |
| FLO-01-15: Fix the clickjacking possibility | 2020-03-13 by Cure53 Fix: The same by Tom |
| FLO-01-17: HTML injection through error messages | 2020-03-19 by Cure53 Fix: 2020-05-22 by Alex |
| FLO-01-20: Update DomPurify from thevulnerable version | 2020-04-2 by Tom Fix: The same day by Tom |
FLO-01-25: Block clickjacking on /account
|
2020-04-06 by Alex Fix: The same day by Alex |
FLO-01-30: Add noopener to links to preventreverse tabnabbings |
2020-04-07 by Alex Fix: The same day by Alex |
| FLO-01-35: Use HSTS to prevent SSL Stripping attacks | 2020-04-12 by Alex Fix: 28 days by Alex deploy/39, deploy/47 |
FLO-01-45: Send emails from the @flowcrypt.com domain via a Contact Page |
2020-04-28 by Synacktiv Fix: 1 day by Alex backend/95, backend/97 |
| FLO-01-50: Bypass the tag filter on a Contact Page | 2020-04-28 by Alex Fix: The same day by Alex |
| FLO-01-55: Check for expired OpenID Connect JWTs | 2020-04-28 by Synacktiv Fix: 4 days by Tom and Alex |
| FLO-01-60: Remove the OS version from the SSH banner | 2020-04-29 by Synacktiv Fix: 1 day by Tom and Alex |
| FLO-01-65: Firewall limit for SSH to certain IPs | 2020-04-29 by Synacktiv Fix: 1 day by Tom |
| FLO-01-70: Verbose Nginx banner | 2020-04-29 by Synacktiv Fix: The same day by Tom |
FLO-01-75: HTTP server bound on ADDR_ANY
|
2020-04-29 by Synacktiv Fix: Fixed by Tom |
| FLO-01-80: Java exceptions information leak | 2020-04-29 by Synacktiv Fix: Fixed by Tom |
| FLO-01-85: Unencrypted caching of emails in the Android app | 2020-06-14 by Cure53 Fix: The same day by Den |
| FLO-01-90: MiTM due to a lack of checking the certificate | 2020-06-14 by Cure53 Fix: The same day by Tom |
| FLO-01-95: Overwrite arbitrary files with attachment + directory traversal | 2020-06-14 by Cure53 Fix: The same day by Den |
| FLO-01-100: Overly large public keys cause a Denial-of-Service (DoS) attack | 2020-06-14 by Cure53 Fix: The same day by Den |
| FLO-01-105: Tabnabbable link to Twitter account | 2020-06-11 via bug bounty Fix: 1 day by Alex |
| FLO-01-110: Weak Ciphers | 2020-06-11 via bug bounty Fix: 4 days by Alex |
| FLO-01-115: No CAA | 2020-07-09 via bug bounty Fix: 16 days by Wiktor |
| FLO-01-120: User-assisted billing account takeover | 2020-10-17 by @sushiwushi2 (EUR 1 200) Fix: The same day by Tom blog, security/59 |
| FLO-01-120: Reflected input phishing on Attester | 2021-01-29 by Mart Fix: 9 days by Alex |
| FLO-01-125: No rate limit on mailing list signup notifications | 2021-02-01 by Yash Ahmed Quashim Fix: 1 day by Alex |
FLO-01-130: Disallow @flowcrypt.com addresses on feedback |
2021-02-21 by Mart Fix: 3 days by Alex |
FLO-01-135: CSRF on flowcrypt.com/billing login |
2021-03-16 by Mart Fix: 1 day by Alex |
| FLO-01-140: Stored HTML Injection via a password-protected message intro | 2021-03-11 by Mart Fix: The same day by Alex |
| FLO-01-145: Prevent DoS attacks via profile image uploads | 2021-03-11 by Mart Fix: 6 days by Alex |
| FLO-01-150: Disallow arbitrary recipients in password-protected replies | 2021-03-27 by Mart Fix: 8 days by Alex |
| FLO-01-155: Unauthenticated file upload via password-protected attachments | 2021-04-18 by Mart Fix: 8 days by Alex |
FLO-01-160: Nginx should give Error 400 on an unknown Host |
2021-04-28 by Mart Fix: 2 days by Alex |
| FLO-01-162: Added a Referrer-Policy header | 2021-07-07 by Rishabh Lalchand Pardeshi Fix: 11 days by Alex |
| FLO-01-165: Open Redirect in the login flow | 2021-07-09 by Mart Fix: 3 days by Ivan |
| FLO-01-170: Insufficient JWT Token Expiration | 2021-07-13 by Mart Fix: 2 days by Ivan |
| FLO-01-175: CSV Formula Injection | 2021-07-14 by Mart Fix: 5 days by Ivan |
| FLO-01-177: Added an X-Content-Type-Options header | 2021-11-19 by Tameem Khalid Fix: 5 days by Mart |
| FLO-01-180: Rate limit bypass for mailing list signup notifications | 2021-11-22 by Kokalagi Rushikesh(3RaasRK) Fix: 4 days by Mart |
| FLO-01-185: Nginx version disclosure | 2022-01-08 by Anonymous Researcher Fix: 3 days by Mart |
| FLO-01-190: Outdated JavaScript library | 2022-04-11 by Lakshit Fix: 5 days by Mart |
| FLO-01-195: Outdated Android dependencies | 2022-04-13 by Mayank Gandhi Fix: 8 days by Mart |
| FLO-01-200: Limited email address exposure through web crawler | 2022-06-08 by Naina S Malik Fix: 10 days by Mart |
| FLO-01-203: Missing input limit on Encrypted Contact Page | 2022-06-14 by Naina S Malik Fix: 8 days by Mart |
| FLO-01-204: Implement a limit on the output of decrypted messages in the browser extension | 2022-10-10 by Mehedi Hasan (Secminer’s BD) Fix: 2023-30-06 by Mart |
| FLO-01-205: Missing a limit for the input field length | 2022-11-11 by Mehedi Hasan (Secminer’s BD) Fix: 2023-01-06 by Mart |
| FLO-01-207: Added a Permissions-Policy header | 2023-01-14 by Rishabh Lalchand Pardeshi Fix: 2023-04-11 by Mart |
FLO-01-210: Possible command execution via a stripped .pgp extension forunsuccessful file attachment decryption |
2023-01-03 by Nicolas Devillers from Airbus Fix: 3 days by Ioan |
| FLO-01-215: Rate limiting issue | 2023-03-13 by Rajdip Dey Sarkar Fix: 11 days by Mart |
| FLO-01-220: Remove deprecated X-XSS-Protection header | 2023-04-06 by Samyak Jain Fix: 7 days by Mart |
FLO-01-225: Prevent non-sensitive project files from being served on flowcrypt.com/docs
|
2023-05-22 by Hitesh Verma Fix: 1 day by Mart |
| FLO-01-230: FlowCrypt Android app content exposure when running in background | 2023-08-29 by Rajdip Dey Sarkar Fix: 1 day by Den |
| FLO-01-235: FlowCrypt Android app Tapjacking issue | 2023-08-29 by Rajdip Dey Sarkar Fix: 1 day by Den |
| FLO-01-240: Rate-limiting issue on FES user feedback | 2023-11-27 by Rajdip Dey Sarkar Fix: 2 days by Mart |
| FLO-01-245: Unexpected dev email disclosure | 2023-12-18 by Karan Rathod Fix: 1 day by Tom |
| FLO-01-247: Enhanced DMARC Policy to strengthen email security | 2024-03-13 by Niket Popat Fix: 1 day by Tom |
| FLO-01-248: Improving security.txt with RFC9116 compliance | 2024-03-15 by Freddie Leeman (URIports) Fix: 1 day by Mart |
| FLO-01-250: HTML injection via print preview | 2024-04-09 by Mr. Dott Fix: 2 days by Mart |
| FLO-01-255: Fix Permissions-Policy header | 2024-04-15 by Raju Basak Fix: 2 days by Mart |
What’s next?
Want to see your name here? We love hearing from security researchers. Check out our bug bounty program.