-
Notifications
You must be signed in to change notification settings - Fork 220
Security
Bernhard Spirkl edited this page Sep 28, 2025
·
12 revisions
- Feb. 2025: Security Audit of Mailvelope by 0xche
- Feb. 2019: Security Audit of Mailvelope by SEC Consult (BSI)
- Feb. 2017: Security Audit of Mailvelope by Cure53 (Posteo)
- Dec. 2015: Security Audit of Mailvelope by Cure53 (1und1)
- Jul. 2015: Security Audit of Mailvelope API by Cure53 (1und1)
- Dec. 2014: Security Audit of Mailvelope API by Cure53 (1und1)
- Oct. 2014: Pentest Mailvelope integrated editor by Cure53 (1und1)
- May 2014: Penetration test of Firefox add-on by iSECpartners (OTF)
- Feb. 2014: Security audit of OpenPGP.js by Cure53 (OTF)
- Feb. 2013: Penetration test of Chrome extension by Cure53 (OTF)
- Signature Spoofing Vulnerability in Mailvelope via OpenPGP.js. (fixed in Mailvelope v6.1.0) Security advisory
- Clickjacking (CVE-2019-9147). (fixed in Mailvelope v3.1.0)
- Missing Message and Key Validity Checks (CVE-2019-9148). (fixed in Mailvelope v3.3.0)
- Private Key Operations Require no User Interaction (CVE-2019-9149). (fixed in Mailvelope v3.3.0)
- Key Import User Interaction Bypass (CVE-2019-9150). (fixed in Mailvelope v3.3.0)
- XSS via HTML file download link. (fixed in Mailvelope v1.3.2) Detailed analysis
- Bug in S2K allows decryption of malformed private key backup messages. (fixed in Mailvelope v1.2.0) Detailed analysis
- Integrated documentation page can access privileged API. (fixed in Mailvelope v0.11.0) Detailed analysis
- EME PKCS1 v1_5 padding bug in OpenPGP.js. (fixed in Mailvelope v0.8.0) Detailed analysis and blog post.