Critical Cryptocat group chat bug fixed
Posted on 04 July 2013.
A critical security vulnerability in Cryptocat versions older than 2.0.42 has been patched and developers are urging users to update to the latest available version of the encrypted online chatting app.


According to their Thursday blog post, the vulnerability was discovered by a volunteer named Steve Thomas a few weeks ago, and allowed any conversations had over Cryptocat’s group chat function between versions 2.0 and 2.0.42 to be easily cracked via a brute force attack.

"Private chats are not affected: Private queries (1-on-1) are handled over the OTR protocol, and are therefore completely unaffected by this bug. Their security was not weakened," they also made sure to note.

"Our SSL keys are safe: For some reason, there are rumors that our SSL keys were compromised. To the best of our knowledge, this is not the case. All Cryptocat data still passed over SSL, and that offers a small layer of protection that may help with this issue. Of course, it does not in any way save from the fact that due to our blunder, seven months of conversations were easier to crack," they explained, and apologized for making the mistake.

The announcement was apparently a reaction to Steve Thomas' own blog post in which he urged users who used Cryptocat from October 17th, 2011 to June 15th, 2013 to assume their messages were compromised.

"There was a bug in the generation of ECC private keys that went unchecked for 347 days," he wrote, saying that the flaw made the ECC private keys "ridiculously small" and, therefore, easily crackable.

To prove his point, he created Decryptocat, a tool that at cracks those keys in Cryptocat versions 1.1.147 through 2.0.41.

Despite helping the project, Thomas obviously does not have a high opinion of Cryptocat's developers.

"Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs," he says. "Cryptocat tried BPKDF2, RSA, Diffie-Hellman, and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums [sic]."

He advises users not to use Cryptocat as "there's no telling how long it will be until they break their public key encryption."









Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //