Popular "encrypted chat" service Cryptocat contained a vulnerability for 7 months
18 July 2013
“Encrypted chat” client contained a flaw that could expose messages
Subscribers who use the Cryptocat program for secure online chat should update their client to the latest version. In addition, you should not rely on the security of any past messages.
The Cryptocat service is a tool used to provide secure, encrypted online chat. However, for the seven months to April 2013, the program had a flaw in the way it encrypted messages. During this time, messages could easily have been accessed by an attacker.
The program has since been fixed to address this flaw, and current versions are considered to be properly encrypted.
The analyst who originally discovered the flaw says versions between 7 May 2012 and 19 April 2013 contained poor encryption. This has been addressed, and the version released on 3 June 2013 is now considered practically impossible to decrypt.
Of course, security and privacy cannot be guaranteed for any software. Using any program involves trusting the developers of that product.
Vulnerabilities in most software can be addressed by updating to the most recent version of software. If you use Cryptocat, you should update your software now.
The vulnerability was discovered and addressed using a practice known as “responsible disclosure”. Most security analysts and researchers will inform the product vendor of the discovery first, allowing them time to fix their product before making the vulnerability known publicly.
It allows the vendor to release updates for users to apply to their software, usually before, or within a short time of the vulnerability being announced.
The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.