Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: August 27th, 2024 - September 10th, 2024
100% of all REPORTED Findings have been addressed
All findings
9
Critical
0
High
0
Medium
0
Low
0
Informational
9
zkPass engaged Halborn to conduct a security assessment on their Transgate extension, beginning on 2024-08-27 and ending on 2024-09-10. The security assessment was scoped to the assets provided to the Halborn team.
The team at Halborn was provided two weeks for the engagement and assigned a full-time security engineer to verify the security of all the applications. The security engineer is a penetration testing expert with advanced knowledge in web, recon, discovery & infrastructure penetration testing and blockchain protocols.
- Improve the security of the implementation
- Identify potential security issues that could be affecting the implementation
During the security assessment of the extension, several vulnerabilities were identified, posing significant risks to the application’s security posture. However, these vulnerabilities have been mostly remediated through specific actions taken, such as patching, code refactoring, or security best practices from the zkPass team.
Key issues included improper input validation, excessive logging of sensitive data, and the use of outdated cryptographic practices. Input handling functions were found to inadequately sanitize user inputs, which could allow attackers to exploit injection vulnerabilities, leading to data compromise or unauthorized access. Sensitive information, including requests and responses, was logged without redaction, exposing the extension to potential data leaks.
Additionally, the use of outdated dependencies presents a major security concern, as these packages may contain known vulnerabilities that have been publicly disclosed. Furthermore, the application relies on TLS 1.2 for secure communication, which, while still supported, lacks the security enhancements provided by TLS 1.3, such as forward secrecy and reduced handshake latency. The absence of encryption for stored session data and the presence of hardcoded sensitive information further exacerbate the risks.
Addressing these vulnerabilities through package updates, implementation of secure coding practices, and adopting modern security protocols will significantly improve the extension's overall security, reducing the likelihood of exploitation and ensuring better protection of user data.
The browser extension is designed with stringent encryption standards, ensuring that all functions and transmitted data are securely protected. No risks to client data privacy were identified in our assessment, confirming that the extension maintains robust safeguards without compromising client information.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
0
Informational
9
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Improper Input Handling and Parsing | Informational | Solved - 10/01/2024 |
| Excessive Logging of Sensitive Data | Informational | Solved - 10/01/2024 |
| Potential Weakness in Key Management | Informational | Solved - 10/01/2024 |
| Lack of Encryption for Stored Session Data | Informational | Risk Accepted - 10/01/2024 |
| Lack of Validation in Event Listeners | Informational | Solved - 10/01/2024 |
| Lack of Validation When Parsing JSON | Informational | Risk Accepted - 10/01/2024 |
| Unvalidated URL Manipulation | Informational | Solved - 10/01/2024 |
| Outdated packages | Informational | Risk Accepted - 10/01/2024 |
| Use of TLS1.2 | Informational | Future Release - 10/01/2024 |
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Chromium Browser Extension
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
