Gregory's Serverstill can't get over this https://crnkovic.dev/testing-converso/
 45 comments
 @AgathaSorceress I know you're not supposed to attribute to malice what can be explained with incompetence, but is this a honeypot it probably isn't, it's probably just your average pile of techbros trying to make money with a few buzzwords and the least amount of work possible @schratze the scary part is allegedly some Important Politicians are recommending this app  @schratze @AgathaSorceress They make very specific claims that are ostensibly not true. Writing the app as it exists in the article is incompetence, marketing it as βmore secure than signalβ is malice  @schratze @AgathaSorceress Evidently, there's no practical difference between an intentionally constructed honeypot and a pile of techbros trying to make money with a few buzzwords and the last amount of work possible.  > Unfortunately, Converso is not open source and their website is totally silent on cryptographic primitives and protocols Oh boy *straps in* @AgathaSorceress i want to comment on every one of these turns but there are so many I'll spam you What the fuck I'm not even done reading > Forward secrecy? This doesn't exist. Smh cancel culture strikes again, forward secrecy is cancelled π @AgathaSorceress why they fuck are they asking 5 dollars a month for an app that supposedly doesn't use servers > Looks like I accidentally breached Converso's user database. The users collection, which is open to the internet and publicly accessible, contains the registration details for every Converso user. oh my FUCKING GOD how can you fail this hard just how holy- > Phone numbers, registration timestamps, and the identifiers of groups they're in (i.e. who is talking to who). *chokes* > So private keys are being backed up to Seald's servers, encrypted with user passwords. (Passwords are user IDs) @julialuna I swear to god I was just joking, holy fuck, what the fuck > "How were you able to decompile the source code of the app and what do you think should be done to protect against that in the future?" *tired sigh* > "May we know what you do and where you are located? Thank you." mmmyes, mob boss tactics, or simply classist corporate "are you worth our time with your status" brainworm   @AgathaSorceress This starts of bad but turns into a horror story, I can't believe how bad it is. And their first reaction was "how do we obfuscate this so nobody else figures it out" instead of actually aspiring to implement security. Do you think they asked your job/location with an intent of hiring your or with and intent of trying to sue you in some stupid way? @AgathaSorceress No way it is actually fixed. The least intricate hole to break the whole thing might be slightly more intricate now, but you can't code like that and end up with just one way of getting in.    @AgathaSorceress Oh my god, everything about this makes me want to scream and cry at the same time. @AgathaSorceress what a joke ahahahahah "May we know what you do and where you are located? Thank you." @AgathaSorceress
From the blog: "A quick look at Seald's homepage answers many questions. Seald is a drop-in SDK for app developers to integrate end-to-end encryption 'into any app in minutes'." Oh my gawd I am on the floor...!! @AgathaSorceress i figured I was in for a ride when you put that screenshot from their About page touting transparency near the top of your article, but great googly moogly that escalated quickly. @AgathaSorceress I assume anything βinnovativeβ is snakeoil these days. This is a hilarious bit on the converso website: @AgathaSorceress I love how with all the other horrors on offer, this SQL injection vector just didn't even get a mention: var i = yield n.executeSql("SELECT name, number FROM contacts WHERE name = '"+t+"';"); I mean, *maybe* `t` has been correctly sanitized previously, but nothing about this app suggests to me that's likely. Sweet cuppin' cakes... @AgathaSorceress Has anyone verified this as far as you know? Is this blogger someone you know and trust? Don't get me wrong, the claims in the app marketing raise all kinds of red flags and I have no reason to doubt the post. Just curious. @AgathaSorceress I doubt I'll read anything funnier today. But... The excoriation of Techbros in the comments seems a little off. I thought Techbros were technically competent but socially maladjusted. Clueless incompetents with testicles are Trumps, surely. Snakeoil buyers and sellers... @AgathaSorceress dont we already have this i'm sure there's a tor-hidden-serviced based messaging platform that actually does these things? it's called richochet and it's a p2p model (though i dont have enough experience to know if it's actually good or not) @AgathaSorceress Oh, wow! @AgathaSorceress Woah, thank you very much for your work and the detailed explanations which even I as a lay person (kind of) understand. I'm truly stunned. I don't consider this app a honeypot (they surely would have done better then). But I do consider it malware through sheer incompetence paired with greed. |
@AgathaSorceress this is... really impressively bad omgs