This issue was reported by BAHAG NOC Security, and submitted to the community for discussion.
Q1. What is the problem that you are trying to solve?
Within the web application it is possible to export all passwords in plaintext without any additional re-authentication when the user uses the “remember me” feature. Similarly it’s is possible to delete multiple passwords without any additional authentication.
So an attacker with limited technical knowledge and temporary physical access, can compromise availability or confidentiality.
Q2 - Who is impacted?
Work environment where people do not lock their screen and extensively use the remember me functions.
Q3 - Why is it important and/or urgent?
To be discussed. The security model of passbolt does not protect from attackers having physical access (or equivalent, such as an attacker who managed to compromise the client system). In this scenario an attacker could access directly the content of the memory to get the stored passphrase (or capture it at login via a keylogger, etc.).
Additionally, there are some additional controls already in place:
- Administrators can disable the remember me feature or control the intervals via the server config. This would effectively require the user to enter the passphrase for every action involving cryptographic operations (export, preview, create, edit, etc.). Administrators can also disable the export feature via the server configuration.
- The passphrase is flushed if the browser is idle for 15min. This can help in a scenario where a user forgot to lock their screen. However this behavior is the source of repeated complaints from our user base who ask that we get rid of it. So we are considering making it a setting.
Q4 - What is your proposed solution? (optional)
Implementing an additional setting for administrators, which would allow us to define which operations are considered to be sensitive for the organization (preview, export all, delete, delete all, etc.). This would bypass the remember me choices and allow each organization to decide for themselves the security and usability balance they want to strike.
Whether some sensitive operations such as export and delete are protected by default, is up for discussion here. Should we follow “security by default” principle like we do elswhere, or favor usability in this case?
Q5. Community support
People can vote for this idea to show traction:
- Must have: this is critical for me to have this
- Should have: this is important for me to have this
- Could have: this could be nice to have
- Won’t have: we should not schedule this (explain why)