Encrypted IM tool vulnerable to snooping
A tool designed specifically to encrypt online chats has been found to contain bugs that render it vulnerable to eavesdropping.
Cryptocat apparently used below-minimum public key sizes or iterations that render affected versions easy to crack. The problem went undiscovered for more than a year. Those who used a vulnerable version, or who have communicated with someone using one, are affected.
The vulnerability was discovered by security researcher Steve Thomas, who detailed the many problems he found in a blog entry. He wrote: "If you used group chat in Cryptocat from October 17, 2011 to June 15, 2013 assume your messages were compromised."
Thomas has harsh words for the developers of Cryptocat, saying that "everyone involved with Cryptocat" is incompetent. "Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs," says Thomas.
On their part, the developers of Cryptocat have written an explanation that discusses the problem and urges users to upgrade to the latest 2.0.42 version that fixed the bug.
The developers also issued apology for the flaw, while noting that it's impossible to keep any software entirely free of bugs: "Bad bugs happen all the time in all projects. At Cryptocat, we've undertaken the difficult mission of trying to bridge the gap between accessibility and security."
- check out this article at InformationWeek