Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Critical bug found in private chat app Cryptocat, now fixed

A "critical" bug in encrypted instant messaging app Cryptocat, commonly used by those weary of the protections that mainstream communications platforms provide, left users' conversations vulnerable to brute-force attacks for several months.

According to Steve Thomas, the researcher who discovered the vulnerability, the flaw specifically compromised group chats in the open source app between Oct. 17, 2011 and June 15, Thomas said in a Thursday blog post.

That same day, Cryptocat published an explanation of the vulnerability on its development blog, saying that the period in which users' group chats were compromised was actually about seven months (between the release of version 2.0 and 2.0.42 of the app). reached out to the lead developer for Cryptocat about the time discrepancy, but did not immediately hear back. Via their blogs, Thomas and Cryptocat both vouched for the seriousness of the bug, however, which impacts a user base particularly concerned with their anonymity. 

Thomas said the weakness existed in the generation of elliptic curve cryptography (ECC) private keys that the app used.

“Cryptocat tried PBKDF2, RSA, Diffie-Hellman (various crypto protocols), and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums,” Thomas wrote, further explaining that the issue was in “the confusion between a string and an array of integers [which] made the ECC private keys ridiculously small,” and significantly easier for an attacker to calculate and, subsequently, crack.

With the help of an program he developed, called DecryptoCat, Thomas was able to calculate the data needed to crack keys in about a day.

The company fixed the bug immediately after Thomas reported the vulnerability, and paid him through its bug bounty program. The fix is available in version 2.0.42 of the app, but to be safe, the company advised users to download the latest version 2.1.

Steve Santorelli, director of security research at nonprofit Team Cymru, told on Monday that Cryptocat's privacy incident was “very unfortunate,” but not surprising, since it uses cryptography that involves “a lot of hardcore math.”

“To build these systems is really difficult,” Santorelli said. “It's open source, but in reality, there should be an army of geeks to make sure there isn't holes in it.”

He later explained that encryption platforms have often provided not only online anonymity to people ranging from activists to crooks, but also a physical safety net for those needing to protect their whereabouts or communications.

“People's lives literally get saved because they have access to secure cryptography,” Santorelli said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.