Security Advisory

All news
Security Advisory

Security Advisory: Cross-site request forgery vulnerability on Journalist Interface test alert form

On May 10, 2021, the Tenable team informed us of a CSRF vulnerability on SecureDrop’s Journalist Interface. Details are now available on their advisories page. Read More

Security Advisory

Security Disclosure: Configuration Error on SecureDrop’s Translation Platform

The SecureDrop project uses a self-hosted installation of Weblate for translation into supported languages. On Sunday, an independent security researcher reported a Weblate misconfiguration through our bug bounty program. Read More

Security Advisory

Security Advisory: SecureDrop and the EFAIL Vulnerability

Today, security researchers disclosed vulnerabilities, collectively called EFAIL, in how the decryption and display of PGP-encrypted emails are handled in multiple email clients (see EFAIL website, EFAIL paper). SecureDrop submissions are not sent via email, and can only be decrypted on the air-gapped Secure Viewing Station, so the content of … Read More

Security Advisory

How the Spectre and Meltdown Vulnerabilities impact SecureDrop Users

Based on publicly available information and our current understanding of the Meltdown and Spectre vulnerabilities, both vulnerabilities require an adversary to have arbitrary code execution capabilities on the host. Given that SecureDrop’s Application and Monitor servers do not allow arbitrary code execution, these vulnerabilities appear not to be directly exploitable … Read More

Security Advisory

We found a vulnerability in the SecureDrop installation process. Here’s how we’re fixing it.

On the evening of Monday October 16th, just as the SecureDrop team was about to head home for the day, two of our engineers, while doing some testing for a new version of SecureDrop expected to be released the following week, discovered a serious vulnerability in the SecureDrop code. Read More

Security Advisory

Security Advisory: Do not scan QR codes submitted through SecureDrop with connected devices

We have recently become aware of attacks attempting to exfiltrate data from the SecureDrop airgapped Secure Viewing Station. These attacks come in the form of QR codes that journalists must scan with an internet-connected device such as a phone. The QR code contains a link that sends exfiltrated data from the airgap environment to an attacker. Read More

Security Advisory

How the Tor traffic confirmation attack affects SecureDrop users

On Wednesday morning, the Tor Project published a security advisory detailing an attack against the Tor network that appears to have been trying to deanonymize users. SecureDrop, our open-source whistleblower submission system, is heavily reliant on Tor and uses the anonymity network to facilitate communication between whistleblowers, journalists, and news organizations. For this reason, we wanted to clarify how the attack affects users of SecureDrop. Read More