FlowCrypt is email encryption software. It uses OpenPGP to encrypt outgoing messages on your device with keys only you and your recipient have access to.
This report describes the results of a security assessment targeting several parts of the FlowCrypt ecosystem. Carried out by Cure53 in June 2020, the project entailed a penetration test and a source code audit of the FlowCrypt items in scope.
As a result of the assessment, Cure53 collected substantial evidence and managed to document seven individual findings. Five items were classified to be security vulnerabilities and represent general weaknesses with lower exploitation potential. Note that two issues were given Critical severity levels, posing major risks for FlowCrypt. One of them lets a malicious actor overwrite arbitrary existing files on a user-device, accomplishing it simply by sending a maliciously prepared email. The other makes a Man-in-the-Middle (MitM) attack possible. Other issues are more privacy-related and involve, among others, possibilities to leak information using HTTP requests and DoS. Note that live-reporting was used during these tests and the maintainer managed to fix several issues while the test was still ongoing. Cure53 successfully verified those fixes.
The full audit and summary of findings can be found below.
