SecureDrop Inbox 1.3.1 is now available.
This update addresses a low-priority security issue; we are not aware of any exploitation in the wild. It will be applied automatically during preflight updates, and no further action is required by administrators or journalists. If you have any questions, please contact SecureDrop support via Signal or encrypted email.
Bypass of securedrop-proxy origin’s limitation
A malicious SecureDrop Server could bypass securedrop-proxy’s origin limitation by responding with cross-origin redirects. This issue was fixed by this commit, which disables all following of redirects.
This vulnerability is still pending assignment of a CVE; this post will be updated once it’s available. It has a CVSSv3 score of 3.7, and because it requires a compromised server, it’s a low-priority issue.
Thanks to Bytes512 for reporting this through the SecureDrop bug bounty program; we've awarded them $500 for the discovery. This issue was also independently reported to us by Anthropic Research and Claude, in collaboration with calif.io.
Acknowledgments
This release incorporates Freedom of the Press Foundation (FPF) contributions by Giulio B; Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta, release manager; Cory Francis Myers, deputy release manager; Vicki Niu; Kevin O’Gorman; Francisco Rocha; Conor Schaefer; John Skinner; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, either in your dedicated SecureDrop Support group, or by contacting the support account listed at securedrop.org/help/.
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd.
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!