SEC Consult was tasked by the Federal Office for Information Security (german abbreviated as BSI) with performing a security audit and source code review of the Mailvelope Google Chrome and Firefox Add-ons, the OpenPGP.js library as well as the GPGME-json utility. Objective of this review was to reveal common security issues and to offer suggestions for improvements. The focus of the audit was to identify:
- vulnerabilities in the cryptographic algorithms,
- routines that could cause user data compromise,
- and routines that could be abused for user monitoring.
The vulnerabilities outlined in this document are subject to a coordinated vulnerability disclosure process and the appropriate maintainers have been notified. [Most of the vulnerabilities are patched, while some uncritical vulnerabilities are not yet addressed. Passages in this report regarding unpatched vulnerabilities are hence expunged.]
The following chapter summarizes the scope and timetable of the audit, the results of the audit and outlines the measures recommended by SEC Consult.