Our first external security audit: what they found and how we fixed it
Seven findings, two critical. A straight-up write-up of what was wrong and what we shipped.
Context
In February we contracted an independent security firm for a full audit: edge-node code, admin service, user service, mobile clients, infrastructure. Three weeks, two engineers.
Finding #1 (critical): race condition in auth middleware
Under high load the auth middleware on the user service had a race where a request could be served with another user's context. Trigger: a token refresh and a rate-limited request racing each other.
Fix: every session now holds an isolated context; the identity check runs before any cache reads. Commit 8a2f1b0 on user-service.
Finding #2 (critical): key storage on macOS keychain
macOS clients stored PSKs in the Keychain with the right access-control, but our wrapper missed kSecAttrSynchronizable = false. In theory, devices with iCloud Keychain sync on could push keys to iCloud.
Fix: explicit kSecAttrSynchronizable = false at every write site. Existing keys get overwritten on next login. Commit 6e4cc9a on mobile client.
Finding #3 (high): logs leak client IP
In debug mode the edge node logged client IP on a couple of error paths. Production mode never did, but debug mode was triggered by an env var whose source was an S3 config bucket.
Fix: IP logging removed from the debug path, S3 credentials rotated, the bucket policy tightened.
Findings #4–7 (medium/low)
- HSTS missing on auth.domain → added.
- Session cookie flags lacked
SameSite=Strict→ fixed. - Weak CSP on status.domain → hardened.
- Potential timing attack in password check → switched to
crypto.timingSafeEqual.
What we published alongside the fixes
A security disclosure page at /security — with the changelog, warrant canary, and (most importantly) a bug bounty program. A colleague at the auditor helped shape the scope; bounty range is $100 — $10,000.
Takeaway
External audit is expensive ($35k) but pays back immediately for two reasons:
- It finds real bugs. We'd find them too, but not in the first three weeks.
- In anti-censorship marketing, "passed an external security audit" beats any slogan.