|
|
|
|
|
|
by throwaway192874
1793 days ago
|
|
|
You forgot to read the sentence before that > Prior to their release, the source code of both the new ProtonMail and Proton Calendar underwent an extensive security audit. We are happy to announce the final report was overwhelmingly positive, and the audit uncovered no major issues or security vulnerabilities. This report was done before the release of the new software, and important issues fixed. What they said was accurate given there was only one medium severity finding, and no highs or critical. For example, the site now returns a CSP preventing inline JS so this wouldn't work anymore even if they didn't fix the underlying XSS. The fact that exploiting this required the user to intentionally right click and show the image in a new tab (since it already renders it inline w/o xss) is why it was categorized that way since it's unlikely someone would do this by default. Most companies never disclose anything like this, so them disclosing there was a vulnerability found in a report they paid for and then published isn't really a strike against them and I'm fine with this language. It's a little marketing speak but I don't agree it's inaccurate for them to say so |
|
|
Oh, yes, I did, sorry! I thought this was found in production code.
I do support them publishing this and like I said: The code is audited to find exactly these kinds of errors, so I am not at all trying to shame them here. Their process worked, they found and fixed the vulnerabilities.
OTOH, not having a proper CSP preventing inline JS, the innerHTML usages and that XSS together does not go too well with the overall extremely positive sound of the headlines. All those three are in the 101 of secure web app development.
Aaand, with the numbers of users they have, tons of them will right click and open in a new tab every hour. Its also easily exploitable: send an image with very small text. However, being in a different tab i am unsure how much info you would be able to steal, but sessions/tokens would be possible I guess.