Zotero deemed security risk

jstalker · 2025-02-25T17:40:16+00:00

Hi all,

I work for a state wildlife agency which recently deemed Zotero a security risk, so they are banning it and removing it from our machines. I use this software a lot and it has been a fantastic tool in my research so I am pretty upset to see it go. Here are their reasons:

Zotero attempts to access “Microsoft\Edge\User Data\Default\Login Data” which contains saved passwords. The browser plugin triggers a security alert for attempts to access the file containing stored browser passwords.

Zotero accesses internet servers that are used to serve ads such as “hxxps://securepubads.g.doubleclick.net”.

Zotero does not have any formal security certification and there is no formal secure coding process. Simply relying on encryption at rest and in transit is not enough. They lack any standard cybersecurity documentation such as a SOC2 report, SSP, or ISO27001 report.

They are recommending Mendeley and EndNote instead. Does anyone have any counterpoints to this? I’d love to get this info to the developers to see if they might be able to beef up security to meet the agency’s demands.

dstillman · 2025-02-25T19:18:32+00:00

This mostly seems like some severe misunderstandings.

Zotero attempts to access “Microsoft\Edge\User Data\Default\Login Data” which contains saved passwords. The browser plugin triggers a security alert for attempts to access the file containing stored browser passwords.

This is about the Zotero Connector? If so, they're very confused, and I don't know what "security alert" they're referring to. The Zotero Connector is a standard Chrome/Edge/Firefox extension, and it doesn't have any permission to access the browser password manager. It's just literally impossible. As with any browser extension, you can see the specific permissions the extension requests when you try to install the extension. The ones we need are explained in our privacy policy.

Zotero accesses internet servers that are used to serve ads such as “hxxps://securepubads.g.doubleclick.net”.

Zotero doesn't make any requests to ad servers on its own, and we'd need specific steps to reproduce to say more.

There are one or two situations where operations within Zotero could trigger a webpage load, but that's literally a standard webpage load as any browser would make (Zotero is based on Firefox), and it depends entirely on what you're saving. For example, if you add an item by DOI, Zotero might follow the DOI URL and load the associated article webpage in order to make a webpage snapshot, and if the publisher uses Google ads on their site, those ad resources would get loaded as they would if you loaded the article page in your browser. You can turn off snapshot saving in the General pane of the settings (though that will prevent snapshots from being saved from the Zotero Connector as well).

We're also looking into an issue where links in snapshots loaded in the Zotero 7 reader result in DNS (not HTTP) requests. That shouldn't happen, and we're going to try to fix that, but that generally wouldn't be ad servers, and again, it's solely making requests based on what you've saved.

They lack any standard cybersecurity documentation such as a SOC2 report, SSP, or ISO27001 report.

These are enterprise certifications that aren't realistic for an organization of our size. We can provide a HECVAT (an assessment tool used by higher-education institutions to evaluate security and privacy) on request.

there is no formal secure coding process

This is a meaningless claim. Zotero has been developed by a professional team of software developers for almost two decades. We consider privacy and security in everything we do, starting with Zotero's very design as an offline-first, open-source tool. They're welcome to review our codebase — literally every commit — if they have concerns about our "coding process", which they certainly can't do for our competitors.

If they want to recommend tools produced by companies literally in the business of selling their users' data, that's a choice, but it's certainly not the one we would make.

If they have specific technical questions, they can post here or email us at support@zotero.org.

dstillman · 2025-02-25T19:38:54+00:00

Also, while they of course need to make their own evaluation, they should know that Zotero is widely used across federal and state government in the U.S. and abroad and is recommended by countless top universities around the world, so this is not a common assessment.

jstalker · 2025-02-25T20:04:59+00:00

Is there any chance I can convince you to engage with members of our IT team directly? I feel Zotero is extremely valuable in my research and also feel very strongly about the ethics of open source programs. However I have no background in application security and I do not think they will listen to me at all, plus I would not be able to answer any response (for example, if they did provide specific steps to reproduce an issue).

I can provide emails and phone numbers for our information security manager and/or network service section leader and/or chief information officer.

dstillman · 2025-02-25T20:12:57+00:00

This obviously shouldn't be on you. As I say, they're welcome to contact us at support@zotero.org with any questions. But I'm afraid we can't spend time reaching out to some IT department just because they have some confused ideas about Zotero security.