Encrypted IM Tool Vulnerable To Eavesdropping

Bugs in instant messaging encryption tool Cryptocat left users group chats vulnerable to eavesdropping for over a year, says security researcher.

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Cryptocat, a free tool designed to encrypt online chats, has been updated to fix errors that would have allowed an attacker to eavesdrop on chats. The vulnerability resulted from developers using below-minimum public key sizes or iterations. As a result, anyone who used a vulnerable version of Cryptocat to hold a group conversation, or who communicated with anyone using the software, could have had their communications easily intercepted.
That warning was sounded by security researcher Steve Thomas, who detailed the errors in a blog post. If you used group chat in Cryptocat from Oct. 17th, 2011 to June 15th, 2013, assume your messages were compromised, he said. Also if you or the person you are talking to has a version from that time span, then assume your messages are being compromised.
Thomas built a tool he calls
DecryptoCat
, which cracks the
ECC public keys
generated by Cryptocat versions 1.1.147 through 2.0.41 in about a day, he said. Using the information generated by the tool, it would then take just a few minutes to crack any vulnerable Cryptocat key. Based on the coding errors he found, Thomas had harsh words for the chat tools developers, who he labeled as being incompetent. I feel bad about calling them incompetent, but it is true. If you mess up in all the places I cared to check ... thats incompetence, he said.
[ Need an encryption how-to? Read
5 Rules For (Almost) Painless Encryption
. ]
In response, Cryptocat
issued an apology
, and said that the bug detailed by Thomas -- which they claimed left users communications vulnerable for only seven months -- was rapidly fixed. The vulnerability was quickly resolved and an update was pushed, said the Cryptocat development blog post. We sincerely thank Steve for his invaluable effort.
The developers emphasized that its impossible to keep software entirely free from bugs. Bad bugs happen all the time in all projects, they said. Cryptocat is not any different from any of the other notable privacy, encryption and security projects, in which vulnerabilities get pointed out on a regular basis and are fixed. Bugs will continue to happen in Cryptocat, and they will continue to happen in other projects as well. This is how open source security works. Even so, the developers said theyd revamped their messaging to would-be users. Weve added a new, more visible warning about Cryptocats experimental status to our website! the group
tweeted
Sunday. Likewise, the website where the software may be downloaded sports the following warning: Cryptocat is not a magic bullet. You should never trust any piece of software with your life, and Cryptocat is no exception.
Thomas acknowledged that the developers fix corrected the problem his DecryptoCat tool exploits. For Cryptocat version 2.0.42 this will take 1,000 computer-years to generate [cracked keys], 500 computer-years on average to use, and 40 petabytes to store, he said. So the only ones capable of doing this are large companies and governments.
Is Cryptocat now safe to use? In fact, Thomas said his bug report wasnt meant to be exhaustive, and warned against relying on the application for encrypted communications. Im sure there are plenty of bugs and other bad crypto in other parts because I only looked at random generation and found a bug, at public key algorithm and found a bug, and quickly looked where random is used and found something scary, and random (BigInt.randBigInt) used in two-party messaging and found a bug, he said.
The exploitable Cryptocat vulnerabilities are notable, given that interest in
using encrypted communications tools
has been growing in the wake of leaks by former National Security Agency (NSA) contractor Edward Snowden, who revealed the existence of numerous NSA data and metadata-interception programs.
But ensuring that communications cant be intercepted depends in large part on the applications not including exploitable vulnerabilities or bugs. For example, Bruce Schneier, chief security technology officer of BT, Monday detailed
four techniques for protecting communications against snooping
: use vulnerability-free applications, choose secure passwords, manage those passwords securely and know the threat youre facing.
Although Schneiers advice pertained to securing email, it also applies to chat -- and its notable that the first tip is to use applications that dont include vulnerabilities. His reasoning is simple: No matter how great the cryptography used by an application, if someone wants to intercept messages sent using that application, theyre going to first see if breaking the engineering might suffice. In the case of Cryptocat, prior to the patch, that would have been the case.
Then again, according to leaked NSA docs, the agency is
legally allowed to retain encrypted communications indefinitely
, meaning that simply by using an application such as Cryptocat, people might already be putting themselves at greater risk of having their communications intercepted and studied. Thus, anyone who used a vulnerable version of Cryptocat might have had their encrypted communications stored. With Thomas bug information in hand, decrypting those messages would now be a trivial task.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Encrypted IM Tool Vulnerable To Eavesdropping