In addition, the researchers found CryptoCat was vulnerable to MITM (man-in-the-middle) attacks, leaving conversations susceptible to eavesdropping.ĭuring a MITM attack, an attacker secretly establishes connections between the two participants, receiving data from one user and passing it to the other. “After all, there is no need for CryptoCat if one must first communicate securely in order to use it with confidence,” the report said. The first security issue essentially required a user to verify the identity of the person with whom they wish to speak by other secured means prior to initiating CryptoCat, thus negating the entire purpose of the app. Perhaps the most widely read report, written by iSEC Partners researchers, found that the open-source app contained several flaws, which could have permitted attackers to compromise CyptoCat users’ OTR (off-the-record) conversations. “That was the point of asking for these audits.” “It’s important to note that both of these audits were commissioned by us, and that all bugs in the iPhone version were fixed before the iPhone app was released,” Kobeissi told the Daily Dot. Furthermore, he says, all flaws uncovered in the reports were patched weeks before the audits’ publication.
A pair of controversial security audits that called into question the effectiveness of cryptographic protocols utilized by the popular browser- and iOS-based chat application CryptoCat were commissioned by CryptoCat itself, says Nadim Kobeissi, CryptoCat’s lead developer.
0 kommentar(er)
