Critical bug found in private chat app Cryptocat, now fixed

Share this article:

A "critical" bug in encrypted instant messaging app Cryptocat, commonly used by those weary of the protections that mainstream communications platforms provide, left users' conversations vulnerable to brute-force attacks for several months.

According to Steve Thomas, the researcher who discovered the vulnerability, the flaw specifically compromised group chats in the open source app between Oct. 17, 2011 and June 15, Thomas said in a Thursday blog post.

That same day, Cryptocat published an explanation of the vulnerability on its development blog, saying that the period in which users' group chats were compromised was actually about seven months (between the release of version 2.0 and 2.0.42 of the app). reached out to the lead developer for Cryptocat about the time discrepancy, but did not immediately hear back. Via their blogs, Thomas and Cryptocat both vouched for the seriousness of the bug, however, which impacts a user base particularly concerned with their anonymity. 

Thomas said the weakness existed in the generation of elliptic curve cryptography (ECC) private keys that the app used.

“Cryptocat tried PBKDF2, RSA, Diffie-Hellman (various crypto protocols), and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums,” Thomas wrote, further explaining that the issue was in “the confusion between a string and an array of integers [which] made the ECC private keys ridiculously small,” and significantly easier for an attacker to calculate and, subsequently, crack.

With the help of an program he developed, called DecryptoCat, Thomas was able to calculate the data needed to crack keys in about a day.

The company fixed the bug immediately after Thomas reported the vulnerability, and paid him through its bug bounty program. The fix is available in version 2.0.42 of the app, but to be safe, the company advised users to download the latest version 2.1.

Steve Santorelli, director of security research at nonprofit Team Cymru, told on Monday that Cryptocat's privacy incident was “very unfortunate,” but not surprising, since it uses cryptography that involves “a lot of hardcore math.”

“To build these systems is really difficult,” Santorelli said. “It's open source, but in reality, there should be an army of geeks to make sure there isn't holes in it.”

He later explained that encryption platforms have often provided not only online anonymity to people ranging from activists to crooks, but also a physical safety net for those needing to protect their whereabouts or communications.

“People's lives literally get saved because they have access to secure cryptography,” Santorelli said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.