|
|
|
|
|
|
by jowlo
1794 days ago
|
|
|
So, the audit found (among other minor things) a pretty standard XSS vulnerability (on page 7) and lots of usages of `.innerHTML` which has been considered an insecure coding practice for eons. While errors always happen and it is a good thing they found them during beta, I would definitely not say "the final report was overwhelmingly positive, and the audit uncovered no major issues or security vulnerabilities" (blog post). Quite the opposite: XSS is the major attack vector of a web app for encrypted mail as it most probably enables access to plaintexts. Am I misunderstanding the report here? disclaimer: i work for a competitor and we discovered less severe attack vectors in the past but even then sent out notices to all users informing them about the timeframe of the vulnerability and such. |
|
|
> Prior to their release, the source code of both the new ProtonMail and Proton Calendar underwent an extensive security audit. We are happy to announce the final report was overwhelmingly positive, and the audit uncovered no major issues or security vulnerabilities.
This report was done before the release of the new software, and important issues fixed. What they said was accurate given there was only one medium severity finding, and no highs or critical. For example, the site now returns a CSP preventing inline JS so this wouldn't work anymore even if they didn't fix the underlying XSS.
The fact that exploiting this required the user to intentionally right click and show the image in a new tab (since it already renders it inline w/o xss) is why it was categorized that way since it's unlikely someone would do this by default.
Most companies never disclose anything like this, so them disclosing there was a vulnerability found in a report they paid for and then published isn't really a strike against them and I'm fine with this language. It's a little marketing speak but I don't agree it's inaccurate for them to say so