Early this year we shared our new Security page and first independent audit of Obsidian, coinciding with the release of Obsidian 1.5.3. Since then we’ve made numerous improvements to Obsidian.
Continuing our commitment to security and privacy, we asked the Berlin-based security firm Cure53 to perform a second penetration test and source code audit of the Obsidian apps, across all platforms. Special attention was given to hardening the new Web viewer plugin ahead of its first release.
We invite you to read a summary of the findings and the full report.
We were pleased to hear from Cure53 that incremental updates since Obsidian 1.5.3 maintained the highest degree of attention to security. No new vulnerabilities were found in public versions of Obsidian. Quoting from the summary:
The security standing of the Obsidian client component has improved since the previous audit, as evidenced by the identification of only a single rather serious vulnerability, which addresses a new browser webview feature (see DYL-03-007).
Particular emphasis was placed on hardening the Web viewer plugin during its development process, to ensure it would pass our strict security standards.
The new web viewer plugin implementation was carefully analyzed for common security pitfalls of the WebViews components, with the focus on its Electron interactions. The WebView tag configuration was inspected for security misconfigurations. The implementation neither utilizes any custom and potentially vulnerable webpreferences configuration, nor enables unsafe and dangerous attributes like nodeintegration or disablewebsecurity.
The project concluded in October 2024 and identified six vulnerabilities primarily related to unreleased versions of Web viewer. Fixes were incorporated into the first version of Web viewer in Obsidian 1.8.0, which was released to early-access users on December 18th, 2024.
We’re proud to report that the Cure53 team reviewed the resolutions and concluded that their recommendations have been properly followed. From the report summary:
Concluding, it needs to be highlighted that Obsidian’s swift response to address the identified issues of this audit demonstrates their commitment to ensuring a good level of security for their client. By continuing to monitor for new vulnerabilities and taking proactive measures to address them, Obsidian can further strengthen the security posture of their client component.
We look forward to publishing more security audits and updates, so you can continue to feel confident trusting Obsidian apps and services.