Blog

Security audits have long been a cornerstone of Mailvelope's security strategy. As an open-source browser extension, we rely not only on transparent code but also on independent third-party reviews to ensure security for the users. While open-source transparency allows anyone to review our code, regular independent audits complement this by systematically uncovering hidden issues and providing expert validation.

Since 2013, Mailvelope has undergone ten independent security audits. Past reviews have been conducted by respected auditors such as Cure53, SEC Consult, and iSECpartners, each of them spanning all critical areas such as the browser extension itself, cryptographic software architecture, and supporting infrastructure like the Mailvelope key server.

Partnership with 0xche and support from OTF

For our latest security assessment, we partnered with 0xche, a security research collective that specializes in comprehensive application security audits, combining static code analysis with dynamic testing and real-world attack scenario modeling. Their solid technical expertise made them an ideal partner for evaluating Mailvelope's security posture.

This comprehensive audit was made possible through the support of the Open Technology Fund as part of their FOSSS (Free and Open Source Software Sustainability) fund, of which Mailvelope is a participant. We sincerely thank the Open Technology Fund for its continued support of open-source privacy tools, and 0xche for conducting a thorough and professional security assessment.

Audit methodology

For the recent audit, 0xche conducted comprehensive security testing of the Mailvelope extension across Chrome and Firefox browsers, combining both manual analysis and automated testing tools to identify potential vulnerabilities. The testing methodology emphasized real-world conditions by running the extension in live browser environments and monitoring actual runtime behavior, allowing them to identify vulnerabilities that only manifest during active use.

As part of their process, the auditors reviewed the source code to identify common vulnerabilities such as cross-site scripting (XSS) and unsafe coding patterns. Network traffic was monitored to assess the security of data transmissions and detect any unintended information leakage. In addition, 0xche analyzed the browser permissions to ensure that Mailvelope only requests access it truly needs. By also examining the user interface, 0xche made sure to identify potential risks such as phishing attempts, deceptive interactions, or accidental user actions. The team also considered different attack scenarios, such as ways user data could be exposed if something went wrong with how the extension interacts with the browser or third-party tools.

The audit covered all major features of Mailvelope version 6.0.1, including encryption, decryption, digital signatures, key management, file encryption, and configuration options. The audit did not include the OpenPGP library.

Key findings and architectural strengths

0xche identified seven issues: one high-severity clickjacking vulnerability, one low-severity prototype pollution, and five informational findings related to validation, privacy controls, and outdated dependencies.

Despite these, the audit reconfirmed the robustness of Mailvelope’s implementation. According to 0xche, Mailvelope “maintains strong security boundaries by leveraging Chrome’s Extension APIs” and its “permissions model was well-restricted, ensuring that only necessary access was granted”. Communication between internal components was also recognized as secure: “message interception and spoofing are infeasible” due to properly implemented channels between background, content, and web page scripts.

The report further validates Mailvelope’s approach to secure architecture, noting the “strict isolation and validation of key management and cryptographic operations” and the use of “sandboxed iframes and randomized security elements” to protect critical components against spoofing and interception.

Cited from: 0xche, Mailvelope Security Audit 2025. Section 5, "High level summary"

How we addressed vulnerabilities

As highlighted in the audit, the most critical issue identified was a clickjacking vulnerability affecting the client-API. This function allows email providers to embed Mailvelope's settings interface directly into their own web pages, creating the risk that malicious actors could deceive users into performing unintended actions via hidden overlays.

Following 0xche's report, we promptly addressed the issue by removing the ability to embed the settings interface in release 6.1.0. Mailvelope settings can now only be opened in a separate browser tab, effectively closing the attack vector while preserving functionality for legitimate client-API integrations.

In line with our commitment to transparency, the full audit report is publicly available on our website. We believe that open disclosure not only reinforces our own security practices, but also supports the wider ecosystem of privacy-preserving software.

Moving forward

The audit reaffirms our commitment to maintaining Mailvelope as a reliable and secure tool for email encryption. We will continue to prioritize regular third-party assessments, transparent disclosure of findings, timely remediation of vulnerabilities, and the ongoing improvement of our security practices. Security is an ongoing process, not a fixed goal. It's our community's trust that drives us to keep strengthening Mailvelope's protections every step of the way. If you have any technical questions about this audit or Mailvelope's security practices, please don't hesitate to reach out through our channels on GitHub or directly to info@mailvelope.com.