About SecureDrop
SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to accept anonymous, secure documents from sources. It receives documents via the Tor network (a distributed network of relays that help protect users’ privacy), records only the date and time of the transfer, and enables recipients to view submissions in its “Secure Viewing Station”—an air-gapped machine with no internet connection. There, recipients can decrypt an encrypted submission, strip a document of any identifying metadata (or malware), and export or print a file after processing it. Through these measures, SecureDrop obscures the location of the source and helps protect the receiving organization from outside surveillance.
SecureDrop was created in 2012 by Aaron Swartz, working with James Dolan and journalist Kevin Poulsen. Originally named “DeadDrop,” it was renamed in 2013 when project management was transferred to the Freedom of the Press Foundation.
Audit Description
OTF’s Security Lab partner 7ASecurity conducted a “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) of SecureDrop between May and June 2024, including SecureDrop servers, source code, and documentation. The audit team also tested SecureDrop’s Supply Chain Implementation and the package repositories that are hosted by the Freedom of the Press Foundation.
Scope
The scope of the security review included:
- WP1: Whitebox Tests against SecureDrop Server
- WP2: Whitebox Tests against SecureDrop Supply Chain Implementation
- WP3: Whitebox Tests against a production-like setup of SecureDrop
- WP4: Whitebox Tests against SecureDrop Implementation on Backend Services (Source Interface Journalist Interface, API)
- WP5: Blackbox testing of FPF-hosted SecureDrop package repositories
- WP6: Privacy tests against SecureDrop Servers
- WP7: SecureDrop Lightweight Threat Model review
Findings
Overall, the auditors found that SecureDrop defended itself well against a broad range of attacks. The report notes one “medium” and two “low-risk” vulnerabilities, along with 15 additional recommendations for hardening against possible attacks. The significant issues noted include:
- (Medium-Risk) Arbitrary Two-Factor Authentication (2FA) Enrollment via Insecure Direct Object Reference: The application fails to validate access to multi-factor enrollment (MFA) when adding MFA via QR codes. This means a malicious actor could exploit the flaw to manipulate settings for other administrators, compromising the security of the authentication process. Auditors recommended removing administrators’ access to other users’ MFA settings and giving users direct control over their own settings (such as forcing 2FA registration at first login).
- (Low-Risk) Possible User DoS via Logout Cross-Site Forgery (CSRF): The logout function is vulnerable to CSRF, which could enable an attacker to repeatedly send users to an attacker-controlled destination. Auditors recommend implementing CSRF token protection to the logout function.
- (Low-Risk) Unauthenticated Access to Local Redis: Access to the system’s Redis (an in-memory database) does not require authentication. Auditors recommend requiring authentication.
In addition to the issues identified above, the auditors provided a threat model review that notes vulnerabilities if a journalist is a bad actor or compromised, as well as suggestions for possible improvements to supply chain security, OS-level authentication and authorization, file permissions, data encryption, firewall configurations, and OS-level logging and monitoring, among others.
Remediation
SecureDrop remediated the three vulnerabilities identified and 7ASecurity validated the fixes. Of the 15 hardening recommendations in the audit, one recommendation—adding DoS mitigation to Onion services—was partly addressed during the audit process and auditors validated the fixes. SecureDrop also addressed the recommendation to strengthen password creation security on the back end.
