Feddit.it
  • Communities
  • Create Post
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
piratepost@poliverso.org to Privacy@lemmy.ml · 2 years ago

Testing a new encrypted messaging app's extraordinary claims: this unofficial audit on the #Converso app looks like a book of horrors…!

poliverso.org

message-square
17
fedilink
37

Testing a new encrypted messaging app's extraordinary claims: this unofficial audit on the #Converso app looks like a book of horrors…!

poliverso.org

piratepost@poliverso.org to Privacy@lemmy.ml · 2 years ago
message-square
17
fedilink

How I accidentally breached a nonexistent database and found every private key in a ‘state-of-the-art’ encrypted messenger called Converso

@privacy

But wait – it gets much, much worse

As I was finishing up the above post, I noticed something a little strange in the code – something I’d glossed over earlier. There are a ton of references to what looks to be functions related to Google’s #Firestore database.

#Converso

Using the Seald credentials from the app's code, plus a random user's phone number and user ID from Converso's public database

  • §ɦṛɛɗɗịɛ ßịⱺ𝔩ⱺɠịᵴŧ@lemmy.ml
    link
    fedilink
    arrow-up
    10
    arrow-down
    1    ·
    2 years ago

    Thanks for the breakdown, I’ll be sure to stay away from Converso! You should 100% check out DataBag. It’s my current favorite as its pretty much selfhosted signal. Except without the need for phone numbers and while decentralized, it can be federated too. Definitely my current favorite up and comer in the messaging world

    • jherazob@beehaw.org
      link
      fedilink
      arrow-up
      2      ·
      2 years ago

      Hadn’t heard of it, is this it?

      • §ɦṛɛɗɗịɛ ßịⱺ𝔩ⱺɠịᵴŧ@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1        ·
        2 years ago

        That’s it

        • Arthur Besse@lemmy.ml
          link
          fedilink
          arrow-up
          1          ·
          2 years ago

          is the databag protocol/design documented somewhere? does it claim to have forward secrecy?

          from a quick glance I see here they’re generating an AES key from a passphrase and using it to encrypt an RSA private key, which is… not a good sign.

          fwiw https://simplex.chat is another thing which seems to have similar goals and functionality but is better documented.

Privacy@lemmy.ml

privacy@lemmy.ml

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacy@lemmy.ml

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

  • Lemmy.ml libre_culture
  • Lemmy.ml privatelife
  • Lemmy.ml DeGoogle
  • Lemmy.ca privacy

Chat rooms

  • [Matrix/Element]Dead

  • Discord

much thanks to @gary_host_laptop for the logo design :)

Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 1.21K users / day
  • 2.45K users / week
  • 4.54K users / month
  • 16.5K users / 6 months
  • 142 local subscribers
  • 32K subscribers
  • 3.34K Posts
  • 80K Comments
  • Modlog
  • mods:
  • k_o_t@lemmy.ml
  • tmpod@lemmy.pt
  • Yayannick@lemmy.ml
  • ranok@sopuli.xyz
  • BE: 0.19.5
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org