About Dangerzone
Malicious attachments—or legitimate attachments with malware hidden in the file—are a major threat to user privacy and system security. Dangerzone is a tool that protects users from malicious or hidden code that may be included in documents like PDFs, images, or Microsoft Word files. It does this by generating a separate Linux “container,” opening the document there and creating a new “virtual photocopy,” much like a scanner would. By isolating the document in this container during the conversion, malicious code cannot access user data or even connect to the internet—and users just have access to clean versions of the documents.
As the tool’s creator Micah Lee explains, for journalists, “it’s your job to open documents from strangers, whether you get them in an email, a Signal or WhatsApp message.” Dangerzone makes it safer for journalists and others to work with the documents they receive.
Audit Description
Through OTF’s Security Lab, Include Security performed a security audit for Dangerzone in December 2023 using a standard “gray box” assessment. In this form of testing, auditors have limited knowledge about the component(s) being tested, allowing them to simulate the perspective of an attacker with little-to-no insider knowledge. The audit included penetration testing, analysis of the software for its response to malicious inputs, and a review of the source code for potential vulnerabilities.
Scope
The assessment encompassed the following components:
• Dangerzone Web Application
• Client Application (Desktop)
• Application Architecture
• Docker Container/Sandbox Configuration
• Qubes OS Integration
Dangerzone relies on some external third-party components but the scope of the audit did not include comprehensive checks on these components. The audit solely focused on how these external third-party components are configured and used—and whether the application relied on outdated or vulnerable versions. For example, as explained in the findings, Dangerzone was found to utilize a third-party library for optical character recognition (OCR) that carries some potential risks, but the exploitability of that vulnerability was not examined in depth (OCR is used to convert visually represented text, such as handwritten text, into machine-encoded text).
Findings
The audit revealed ten issues: three in the “Low-Risk” category and seven “Informational” findings that did not pose immediate security risks. Zero issues were found in the higher categories of Critical, High, or Medium Risk.
The “Low-Risk” issues detected by the audit included:
- For Mac versions, installation defaults left some exposure to system resources and memory that could be avoided
- Risks introduced through known vulnerabilities in LibreOffice (a free, open-source office suite that includes applications for word processing)—including the ability to execute malicious code inside the isolated document container that Dangerzone creates—which could be avoided by disabling some features
- The presence of older, deprecated algorithms and protocols with known vulnerabilities that weaken the Dangerzone website’s SSL/TLS configurations
The “Informational” findings, which pose no immediate security risk, included:
- The presence of “non-essential” executable files in the “container image” used for file conversions; these pose no security threat, but auditors noted that such files can create vulnerabilities later as the application code gets more complex
- The absence of a built-in feature for users to password protect the final, “clean” documents they generate with Dangerzone
- The absence of a check to confirm the most up-to-date Docker/Docker Desktop applications are installed and running
- A disclosure vulnerability in Dangerzone’s command-line interface that could leave inputs (such as filenames) exposed in the command history
- A lack of detailed feedback during the file-conversion process (the progress bar does not show time remaining), which could have an impact on users with limited time
- A vulnerability to sophisticated—if unlikely—attacks that could trick the OCR engine into saving or executing malicious files
- The use of outdated software libraries, including a version of the text and graphics program ghostscript with publicly documented security issues
Full Audit Report
Read more about Dangerzone from sponsor organization Freedom of the Press Foundation