Oh, yes, I did, sorry! I thought this was found in production code.
I do support them publishing this and like I said: The code is audited to find exactly these kinds of errors, so I am not at all trying to shame them here. Their process worked, they found and fixed the vulnerabilities.
OTOH, not having a proper CSP preventing inline JS, the innerHTML usages and that XSS together does not go too well with the overall extremely positive sound of the headlines. All those three are in the 101 of secure web app development.
Aaand, with the numbers of users they have, tons of them will right click and open in a new tab every hour. Its also easily exploitable: send an image with very small text. However, being in a different tab i am unsure how much info you would be able to steal, but sessions/tokens would be possible I guess.
So, the audit found (among other minor things) a pretty standard XSS vulnerability (on page 7) and lots of usages of `.innerHTML` which has been considered an insecure coding practice for eons.
While errors always happen and it is a good thing they found them during beta, I would definitely not say "the final report was overwhelmingly positive, and the audit uncovered no major issues or security vulnerabilities" (blog post).
Quite the opposite: XSS is the major attack vector of a web app for encrypted mail as it most probably enables access to plaintexts.
Am I misunderstanding the report here?
disclaimer: i work for a competitor and we discovered less severe attack vectors in the past but even then sent out notices to all users informing them about the timeframe of the vulnerability and such.
Oh, yes, I did, sorry! I thought this was found in production code.
I do support them publishing this and like I said: The code is audited to find exactly these kinds of errors, so I am not at all trying to shame them here. Their process worked, they found and fixed the vulnerabilities.
OTOH, not having a proper CSP preventing inline JS, the innerHTML usages and that XSS together does not go too well with the overall extremely positive sound of the headlines. All those three are in the 101 of secure web app development.
Aaand, with the numbers of users they have, tons of them will right click and open in a new tab every hour. Its also easily exploitable: send an image with very small text. However, being in a different tab i am unsure how much info you would be able to steal, but sessions/tokens would be possible I guess.