Shira is a web app that helps human rights defenders, activists, and journalists develop their skills to detect and defeat phishing attacks. Users are able to take a quiz and attempt to detect which of the simulated messages are phishing attacks and which are legitimate.

Through OTF’s Red Team Lab, Subgraph conducted a security review of the Shira app. The testing efforts were focused on the identification of flaws that create a risk to user privacy or may result in a compromise of confidentiality, integrity, or availability of the target system.

This included testing for vulnerabilities related to tampering of the management frontend (used by operators of a Shira instance) and the app frontend (used by end-users) that could mislead app users. Subgraph also assessed Shira’s API backend to uncover potential vulnerabilities to a breach of the administration interface.

The audit was conducted with full knowledge of the target system, including access to source code. The testers employed automated, manual, and custom testing methods.

Findings

Subgraph’s audit uncovered four low-severity vulnerabilities and one that does not pose a direct security risk but merits further investigation. Adversaries could guess email addresses used to administer a Shira deployment, and if they have physical access to the desktop they may be able to gain entry to an authenticated session (given the absence of a logout capability).

In addition, it’s best if third-party dependencies are kept current and that exceptions generated by erroneous client input are handled gracefully, with error logs, to avoid server crashes.

Remediation

Shira has since addressed the email issue in a way that makes it more difficult for an adversary to guess addresses, and created a logout function. They are currently fixing the remaining three vulnerabilities.

Security Audit Findings Report for Shira

Code: