Cryptocat hole made conversations crackable

Instant messaging encryption platform Cryptocat has patched a critical vulnerability which allowed seven months of a users' conversations to be easily cracked.

The vulnerability in encryption libraries affected all previous versions of Cryptocat and meant existing multiparty conversations, while protected by SSL, could be cracked and so were at risk of being exposed.

The latest version (2.0.42) released in April had squashed the bug but prevented users from communicating with others running older versions due to changes to multiparty key generation. Users could still send private messages.

Researcher Steve Thomas discovered the flaw and deeply criticised Cryptocat developers for their approach to cryptography and handling of security flaws.

"Cryptocat's public key scheme is now good after being bad since pretty much the beginning," Thomas said. "I would suggest not using Cryptocat as there's no telling how long it will be until they break their public key encryption."

Thomas accused Cryptocat developers of being "incompetent" and built a tool dubbed DecryptoCat which cracked elliptic curve cryptography public keys generated by Cryptocat versions 1.1.147 through 2.0.41.

Cryptocat responded in a blog  in a bid to quell reporting of "inaccurate facts" such as reports that private messages could not be sent from the fixed version to affected versions, that Cryptocat's SSL keys were compromised and that a bad line of code in the XMPP library could compromise security.

It said security would remain a challenge as Cryptocat attempted to "bridge the gap between accessibility and security". It also took full responsibility for the flaws and said it would continue to address security flaws as they emerged.

Copyright © SC Magazine, Australia