New security page and independent audit completed by Cure53

Obsidian is designed to be a private and secure space for your thoughts. Since the start, Obsidian has been built to give you full control over your data, without the requirement to sign up for an account or share any private information.

Our new Security page compiles information about how Obsidian approaches protecting your data. It is also the home for security audits completed by third parties. Our first audit by Cure53 is now available, and detailed below.

We make Obsidian so that we can capture our own private thoughts and ideas. Independent audits help us ensure that our code and procedures meet the highest security standards. We will continue working with industry-leading security firms on more audits that provide comprehensive coverage and transparency towards this commitment.

Independent audit of Obsidian apps by Cure53

We asked the Berlin-based security firm Cure53 to perform a penetration test and source code audit of the Obsidian apps. A future report will provide an audit of the Obsidian Sync server.

We invite you to read a summary of the findings and the full report. The project concluded in late December 2023, with fixes incorporated into Obsidian 1.5.3 released publicly on December 26th, 2023.

During the audit, the Cure53 team discovered four vulnerabilities that were promptly resolved:

• CORS bypass via flawed URL validation
• Arbitrary file read via local file embedding
• Arbitrary file write via path traversal in Sync plugin
• App protocol origin leak via CSS snippets

We’re proud to report that the Cure53 team reviewed the resolutions and concluded that their recommendations have been properly followed. From the report summary:

As the final phase of this project, in late December 2023, Cure53 conducted a remediation verification phase to examine how the Obsidian scope has improved over time and in relation to the findings communicated. In this area, the audit team is pleased to report that all vulnerabilities have been properly addressed and the recommendations from the assessment have been properly followed. Cure53 was able to review the diffs created by the Obsidian team to fix the reported issues and was therefore able to make reliable judgments about the quality of the fixes.

From the perspective of the Cure53 team, appropriate steps have been taken to ensure that good fixes have been created and are now in effect for the Obsidian clients, UI and features.

We look forward to publishing more security audits and updates, so you can continue to feel confident trusting Obsidian apps and services.