![]() ![]() ![]() Applying a patch is able to eliminate this problem. Upgrading to version 2.0.42 eliminates this vulnerability. The attack technique deployed by this issue is T1600 according to MITRE ATT&CK.Īfter immediately, there has been an exploit disclosed. Technical details as well as a public exploit are known. No form of authentication is needed for a successful exploitation. The identification of this vulnerability is CVE-2013-2257 since. The public release has been coordinated in cooperation with the project team. The weakness was disclosed by Steve Thomas as confirmed blog post (Website). Impacted is confidentiality, and integrity. The software does not encrypt sensitive or critical information before storage or transmission. Using CWE to declare the problem leads to CWE-311. The manipulation with an unknown input leads to a weak encryption vulnerability. This issue affects some unknown functionality of the file cryptocatRandom.js/multiparty.js of the component Group Chat Private Key Generator. A high score indicates an elevated risk to be targeted for this vulnerability.Ī vulnerability was found in Cryptocat up to 2.0.41 and classified as critical. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. He advises users not to use Cryptocat as “there’s no telling how long it will be until they break their public key encryption.Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. “Cryptocat tried BPKDF2, RSA, Diffie-Hellman, and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums. ![]() “Cryptocat is run by people that don’t know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs,” he says. ![]() To prove his point, he created Decryptocat, a tool that at cracks those keys in Cryptocat versions 1.1.147 through 2.0.41.ĭespite helping the project, Thomas obviously does not have a high opinion of Cryptocat’s developers. “There was a bug in the generation of ECC private keys that went unchecked for 347 days,” he wrote, saying that the flaw made the ECC private keys “ridiculously small” and, therefore, easily crackable. The announcement was apparently a reaction to Steve Thomas’ own blog post in which he urged users who used Cryptocat from October 17th, 2011 to June 15th, 2013 to assume their messages were compromised. Of course, it does not in any way save from the fact that due to our blunder, seven months of conversations were easier to crack,” they explained, and apologized for making the mistake. All Cryptocat data still passed over SSL, and that offers a small layer of protection that may help with this issue. To the best of our knowledge, this is not the case. “Our SSL keys are safe: For some reason, there are rumors that our SSL keys were compromised. Their security was not weakened,” they also made sure to note. “Private chats are not affected: Private queries (1-on-1) are handled over the OTR protocol, and are therefore completely unaffected by this bug. A critical security vulnerability in Cryptocat versions older than 2.0.42 has been patched and developers are urging users to update to the latest available version of the encrypted online chatting app.Īccording to their Thursday blog post, the vulnerability was discovered by a volunteer named Steve Thomas a few weeks ago, and allowed any conversations had over Cryptocat’s group chat function between versions 2.0 and 2.0.42 to be easily cracked via a brute force attack. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |