Those looking to hide instant messages with encrypted online chat tool Cryptocat may not have been as secure as they believed, due to a coding error in the way cryptographic keys were generated for the open source tool’s group chats. The vulnerability was uncovered by independent security researcher Steve Thomas, who questioned the thoroughness of the software’s peer code review.
The bug Thomas uncovered and exploited with a tool he named DecryptoCat related to the way Cryptocat versions 1.1.147 through 2.0.41 generated ECC keys for group chats. In some cases Cryptocat treated a string of decimal digits as an integer array, greatly reducing the size of the keys. As a result of small key sizes, Thomas only needed one day to calculate data needed to crack any key within minutes. He dismissed such errors as “stupid mistakes” and suggested that “not enough eyes are looking at their code to find the bugs.”
Addressing the error
Cryptocat confirmed that group chats in versions 2.0 through 2.0.41 – covering a period of seven months – were easier to crack via brute force and therefore vulnerable. The developers issued an update fixing the bug as well as a change limiting the compatibility between the current version and previous versions of of Cryptocat. In a blog post explaining the updates, the team also dismissed security concerns about another line of code in the program and apologized for development errors.
“Bad bugs happen all the time in all projects,” the post stated. “At Cryptocat, we’ve undertaken the difficult mission of trying to bridge the gap between accessibility and security. This will never be easy. We will always make mistakes, even ten years from now. Cryptocat is not any different from any of the other notable privacy, encryption and security projects, in which vulnerabilities get pointed out on a regular basis and are fixed.”
The vulnerability is of specific note given that encrypted communication solutions have increased in popularity following concerns about NSA data collection efforts. A vulnerability in many encrypted VoIP applications was also recently uncovered as researchers turned their attention to such technology. To meet the software security expectations of users, developers creating encrypted products can strengthen their secure development practices with code review and tools such as static analysis software, which help catch bugs prior to release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.