Privacy

35037 readers

243 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Testing a new encrypted messaging app's extraordinary claims: this unofficial audit on the #Converso app looks like a book of horrors…! (poliverso.org)

submitted 2 years ago by piratepost@poliverso.org to c/privacy@lemmy.ml

16 comments fedilink hide all child comments

How I accidentally breached a nonexistent database and found every private key in a 'state-of-the-art' encrypted messenger called Converso

@privacy

But wait – it gets much, much worse

As I was finishing up the above post, I noticed something a little strange in the code – something I'd glossed over earlier. There are a ton of references to what looks to be functions related to Google's #Firestore database.

#Converso

you are viewing a single comment's thread
view the rest of the comments

[–] OsrsNeedsF2P@lemmy.ml 7 points 2 years ago* (last edited 2 years ago)

Unfortunately, Converso is not open source and their website is totally silent on cryptographic primitives and protocols

The most insane part is this somehow wasn't the worst part in the article

A quick look at Seald's homepage answers many questions. Seald is a drop-in SDK for app developers to integrate end-to-end encryption 'into any app in minutes'.

LOOOOL

Not only does Converso include a Google Analytics tracker to record how you use the app

This is an encryption app that claims to not even have metadata, btw

As I was finishing up the above post, I noticed something a little strange in the code – something I'd glossed over earlier. There are a ton of references to what looks to be functions related to Google's Firestore database.

As someone who integrates Firebase for work, this made me tremble

I wrote a few lines of code to see what would happen if I tried to pull from the users collection:

No way

Looks like I accidentally breached Converso's user database

I quit

It turns out the Seald username is the user's phone number, and the encryption password is just their user ID.

HOW IS IT GETTING WORSE???