CVE-2024-33669 is a vulnerability identified in the Passbolt Browser Extension versions before 4.6.2. The extension integrates with the HaveIBeenPwned (HIBP) Pwned Password API to check if user passwords have been compromised in known breaches. However, the extension sends multiple API requests while the user is still typing their password, rather than waiting for completion. This behavior results in an information leak because an attacker capable of monitoring the HTTPS traffic between the extension and the HIBP API can observe partial password queries. These observations can be used to significantly reduce the search space for brute forcing the password, effectively weakening password confidentiality. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 6.1 (medium severity), reflecting the high confidentiality impact but requiring user interaction and having attack complexity high due to the need to observe HTTPS traffic. The vulnerability does not affect integrity or availability and does not require privileges or authentication. No patches are linked in the provided data, but upgrading to Passbolt Browser Extension 4.6.2 or later is recommended to resolve this issue.

This vulnerability primarily impacts the confidentiality of user passwords managed via the Passbolt Browser Extension. Attackers with network visibility—such as those on the same local network, compromised routers, or capable of performing man-in-the-middle attacks—can intercept the HTTPS queries to the HIBP API and glean partial password information. This leakage can facilitate more efficient brute force or guessing attacks against user passwords, potentially leading to unauthorized access to user accounts or systems protected by these passwords. Organizations relying on Passbolt for password management may face increased risk of credential compromise, especially if users type passwords in environments where network traffic can be monitored. While the vulnerability does not directly impact system integrity or availability, the resulting credential exposure can lead to broader security incidents, including account takeover and lateral movement within networks.

To mitigate this vulnerability, organizations and users should upgrade the Passbolt Browser Extension to version 4.6.2 or later, where this issue has been addressed. Until the update is applied, users should avoid typing passwords in environments where network traffic can be monitored or intercepted, such as unsecured public Wi-Fi networks. Network administrators should enforce the use of encrypted and trusted networks and consider deploying network security controls such as HTTPS inspection prevention and strict TLS enforcement to reduce the risk of traffic interception. Additionally, organizations should implement multi-factor authentication (MFA) to reduce the impact of potential password compromise. Monitoring network traffic for unusual patterns and educating users about secure password entry practices can further reduce risk. Finally, reviewing and limiting the exposure of password checking APIs and ensuring that extensions handle password data securely without leaking partial inputs are critical development best practices.