According to security expert Steve Thomas, messages sent via Cryptocat between 17 October 2011 and 15 June 2013 are compromised. The security hole affects all versions of the chat software since 2.0, as the hole was only discovered and closed in version 2.0.42. On his web site, Steve Thomas has a massive go at the software developers.
 |
| Cryptocat |
Thomas says that the vulnerability was triggered by a flaw in the code for converting strings into arrays of integers. A function that expected an array of 15-bit integer values was actually handed a string of the digits 0 to 9 with the ASCII value of the digit taking the place of the 15-bit integer value and shrinking the possible values from 2^15 to 10. This meant the private Elliptic Curve Cryptography (ECC) keys would be "ridiculously small" and would present an ideal attack vector for brute force attacks. The expert was especially angered about the bug fix description, saying that the developers made an attempt to cover up their mistake claiming the fix became necessary because of backwards compatibility problems.
Cryptocat's false sense of security | The H Security
No comments:
Post a Comment