Projects that receive funding from NLnet are required to have their code audited for potential security issues. Ours was performed by Radically Open Security, a Non-Profit Computer Security Consultancy from the Netherlands.
Since Fractal, by design, doesn’t include much security critical code the security researcher extended the quick scan somewhat also to the matrix-rust-sdk.
I have been in direct contact with the security researcher and they kept me up-to-date about their findings. This way, I could already during the audit start to fix identified security issues. Luckily, no major security issue was identified.
The issues found were addressed by us in the following way:
- 4.1CLN-013 — Fractal client stores images containing malware on filesystem
This is mainly a problem of the matrix server that it doesn’t sanitize images. Images downloaded from the server are stored in the encrypted store. This was initially an issue but was resolved. Videos on the other hand are currently downloaded and stored in the cache unencrypted because of this issue.
- 4.2CLN-012 — Fractal’s markdown implementation hides URLs to possible malicious websites
To address this we now show the full URL when the user hovers a link in the room history. This was introduced in this merge request.
- 4.3CLN-011 — Fractal allows opening of .html and .htm files
This is a problem with any file downloaded from an untrusted source. The researchers suggested adding a warning dialog to ask if the user is sure they want to open the file. I don’t think adding a warning is sufficient to prevent users from opening files containing malicious code, especially since users often don’t read things and just click continue or end up confused. Also we recommend using Fractal inside a Flatpak sandbox, that uses a portal that asks with which application to use to open the file.
Additionally, we decided to remove the open file button from the room history to make sure that user can’t open them easily by mistake in this merge request.
- 4.4CLN-010 — Matrix server does not sanitize uploaded images
The matrix server should address this and we can’t really do anything about it locally.
- 4.5CLN-009 — Images are stored on disk unencrypted
Now all data is stored encrypted. See issue for more details.
- 4.6CLN-008 — Security impact not sufficiently documented
We documented this in our README in this merge request.
- 4.7CLN-007 — Sensitive data can be extracted from database
Now all data is stored encrypted. See issue for more details.
- 4.8CLN-006 — Fractal client supports weak TLS cipher suites
This would be something nice to have, unfortunately currently not possible. See this issue for more details.
- 4.9CLN-005 — Fractal client is able to connect with insecure TLS versions
See issue 4.9CLN-006.
You can read the full report of the security audit here.