CVE-2024-33669: 
JavaScript vulnerability analysis and mitigation

CVE-2024-33669 affects Passbolt Browser Extension versions before 4.6.2. The vulnerability involves an information leak where the extension sends multiple requests to HaveIBeenPwned while a password is being typed (NVD, Quarkslab Blog).

The vulnerability occurs when the Passbolt Browser Extension sends queries to the HaveIBeenPwned API as soon as a user types a password, with a 300ms delay between keystrokes. For passwords longer than 7 characters, each keystroke triggers an API query containing the first 5 nibbles (20 bits) of the SHA1 hash of the current password. This implementation allows an attacker observing the HTTPS queries to potentially brute force the password being typed (Quarkslab Blog).

An attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API can more easily brute force passwords that are manually typed by the user. The vulnerability becomes particularly effective for passwords of 11 characters or longer, where multiple sequential API queries can be used to progressively determine each character (NVD, Quarkslab Blog).

The vulnerability has been fixed in Passbolt Browser Extension version 4.6.2. The fix involves only querying the Pwned Passwords API when saving a new or updated password, and only if the password's estimated entropy is larger than 60 bits (Passbolt Incident, Quarkslab Blog).

Following the disclosure, Troy Hunt updated the Pwned Passwords APIv3 documentation to include a warning about the risks of incremental searches. The vulnerability was responsibly disclosed to Passbolt, who responded promptly and collaborated actively to ensure a smooth resolution (Quarkslab Blog).