Project Overview

The engagement was performed between 2023.04.03 and 2023.04.05. It was performed by:

• Alexandre Dang
• Philip Reed
• Matthias Kandora
• Tillmann Weidinger

The total time spent on auditing was 4 person days. The audit was performed as a pro-bono audit to improve the open source ecosystem and our internal auditing workflows and was coordinated with engineers and management of Bloop.ai.

During the audit we uncovered 2 vulnerabilities, 6 weaknesses, 0 best practice violations, 0 informational observations and investigated 1 lead which we found to be not exploitable.

The scope of the project was limited to the following repositories:

• bloopAI

Communication happened via a shared Slack channel during and after the audit. The responsiveness and skilled team at Bloop.ai allowed for a quick exchange of questions and answers to solve immediate road blocks and guaranteed a smooth auditing process.

All findings were presented in a synchronous video call to the engineering team of Bloop.ai before the final draft of this report, to ensure timely fixes and appropriate fix understanding.

One finding was discovered during internal reviewing of our findings after the call mentioned above and was added to the report after the project's active phase was concluded. This finding was independently communicated from the previous findings via the shared Slack channel.

Summary

The audit uncovered a critical vulnerability, which was found to be causing a severe impact to the defined risks of the project.

The impact of the underlying vulnerability was not properly constrained via the Tauri configuration and highlights that there can be significant improvements on the hardening and knowledge of the Tauri security model.

The ability for malicious repositories to gain script execution and restricted system access is violating the confidentiality, integrity and availability of other non-malicious repositories, as well as system resources the user granted access to.

Other found weaknesses and vulnerabilities do not pose an immediate threat to the project but we strongly recommend to fix these in a timely fashion.

As the scope was fairly limited, we can not fully conclude on the whole security posture of the bloop.ai application. Our limited conclusion is that after hardening of the Tauri configuration and frontend it will be significantly harder for an attacker to abuse flaws in the implementation. We can not conclude the security guarantees of the local backend component written in Rust nor about the safety of the web based frontend without a dedicated audit.

It was a pleasure for our team to work on such an impactful open source project and we hope to further contribute in future audits.