Cure53 pentest report

June 24, 2014

During the last week of April and the first week of May 2014, a Cure53 team, lead by Mario Heiderich, performed a thorough penetration test in order to spot bugs and vulnerabilities in Clipperz password manager. Today we are ready to share the outcomes of their awesome work.

Penetration tests

First I’d like to thanks the Open Technology Fund for sponsoring this assignment. OTF is an initiative that promotes global Internet freedom and combat online censorship. It financially supports projects that develop open and accessible technologies promoting human rights and open societies. A special thanks goes to Dan Meredith, OTF Director, and Adam Lynn, OTF Analyst, for their decision to award Clipperz its first professional security review.

Cure53 found a bunch of vulnerabilities and weaknesses. As expected most of them and the more serious were related to open source editions of Clipperz, those using PHP and Python backends that are clearly stated as suitable only for testing and educational purposes.

Then there was a group of possible attacks exploiting direct logins and the process to create them via the Clipperz bookmarklet. We quickly fixed those involving some serious injections risks, but we decided not to address minor bugs because we are considering the complete removal of this feature from future releases and also because of their limited damage potential.

All remaining vulnerabilities classified as “critical”, “high” and “medium” have been resolved, a few of them even before the completion of the pentest program, thanks to the nice and proactive ongoing talks with Cure53 team.

For those interested, the complete pentest report is available both here (clipperz.is website) and here (cure53.de website). An annotated list of all vulnerabilities is available here (Gdoc). The latter also includes links to patches submitted on Github.

All in all, we were extremely pleased of the collaboration with Cure53 and we hope to have soon the opportunity to work again with Mario and his fellow workers.