Security News > 2021 > April > SecureDrop Workstation Gets Post-Audit Security Refresh
The open-source SecureDrop Workstation has undergone a security makeover after a third-party security audit flagged multiple problems, including a high-risk bug that could allow an attacker to plant files on target machines.
The SecureDrop Workstation audit, conducted by Trail of Bits and financed by the New York Times, warned that the high-risk directory traversal bug could be leveraged for code execution attacks.
Overall, the security assessment gave SecureDrop workstation a positive security bill of health.
"We were unable to achieve a direct compromise of the Workstation from the position of an Internet-based attacker during our engagement," Trail of Bits said, but made it clear this doesn't imply that such a compromise exists or that SecureDrop Workstation is free of bugs.
SecureDrop Workstation is currently managed by the Freedom of the Press Foundation.
None of the issues identified were directly exploitable by an attacker, and require either compromise of the SecureDrop server, or code execution in certain key VMs within the SecureDrop Workstation, the Foundation said.