A pair of controversial security audits that called into question the effectiveness of cryptographic protocols utilized by the popular browser- and iOS-based chat application CryptoCat were commissioned by CryptoCat itself, says Nadim Kobeissi, CryptoCat’s lead developer. Furthermore, he says, all flaws uncovered in the reports were patched weeks before the audits’ publication.
“It’s important to note that both of these audits were commissioned by us, and that all bugs in the iPhone version were fixed before the iPhone app was released,” Kobeissi told the Daily Dot. “That was the point of asking for these audits.”
Perhaps the most widely read report, written by iSEC Partners researchers, found that the open-source app contained several flaws, which could have permitted attackers to compromise CyptoCat users’ OTR (off-the-record) conversations.
The first security issue essentially required a user to verify the identity of the person with whom they wish to speak by other secured means prior to initiating CryptoCat, thus negating the entire purpose of the app.
“After all, there is no need for CryptoCat if one must first communicate securely in order to use it with confidence,” the report said.
In addition, the researchers found CryptoCat was vulnerable to MITM (man-in-the-middle) attacks, leaving conversations susceptible to eavesdropping.
During a MITM attack, an attacker secretly establishes connections between the two participants, receiving data from one user and passing it to the other. The conversation carries on without interruption and no one is the wiser—except for the attacker who can now monitor the entire exchange.
In a blog post, “Recent Audits and Coming Improvements,” CryptoCat’s developers explain in detail their solutions to both the authentication and MITM vulnerabilities, which they say have both been resolved.
“There were some bugs found in the regular Web version, and those did affect versions already released,” Kobeissi said, “but those bugs were also swiftly fixed in the past few weeks before the audits were published.”
Read the full iSEC report:
iSEC Cryptocat iOS
Correction: A previous version of this article was titled “CryptoCat is anything but secure,” but was changed to address the fact that CryptoCat developers had already fixed security flaws detailed in an audit by iSEC Partners, which was commissioned by CryptoCat. In the case of the iOS app specifically, the flaws were addressed before the app version was rolled out.
Illustration by Dell Cameron