tgirl johnny truant π³οΈββ§οΈπ³οΈβπ
AgathaSorceress@technogothic.net
still can't get over this https://crnkovic.dev/testing-converso/
8
11
2
vermillion pyre
cybersqyd@chitter.xyz@AgathaSorceress this is... really impressively bad omgs
0
0
0
summer truther
schratze@todon.nl@AgathaSorceress I know you're not supposed to attribute to malice what can be explained with incompetence, but
is this a honeypot
it probably isn't, it's probably just your average pile of techbros trying to make money with a few buzzwords and the least amount of work possible
2
0
0
β 
> Unfortunately, Converso is not open source and their website is totally silent on cryptographic primitives and protocols
Oh boy *straps in*
1
0
0
de weledelzeergeleerde Hx Anne C.A. "Joe 'p" Baanen, aggressieve mechanisator en eff
Vierkantor@mastodon.vierkantor.com
0
0
0
tgirl johnny truant π³οΈββ§οΈπ³οΈβπ
AgathaSorceress@technogothic.net@schratze the scary part is allegedly some Important Politicians are recommending this app
1
0
0
@AgathaSorceress every section just got unimaginably worse
0
0
0
@AgathaSorceress i want to comment on every one of these turns but there are so many I'll spam you
What the fuck
I'm not even done reading
1
0
0
summer truther
schratze@todon.nl@AgathaSorceress I mean, what's the current going rate for an average politician
0
0
0
Charlotte π¦ 
charlotte@akko.chir.rs
@schratze @AgathaSorceress They make very specific claims that are ostensibly not true. Writing the app as it exists in the article is incompetence, marketing it as βmore secure than signalβ is malice
0
0
0
1
0
0
> Forward secrecy? This doesn't exist.
Smh cancel culture strikes again, forward secrecy is cancelled π
1
0
0
@AgathaSorceress why they fuck are they asking 5 dollars a month for an app that supposedly doesn't use servers
1
0
0
Show content
> Looks like I accidentally breached Converso's user database. The users collection, which is open to the internet and publicly accessible, contains the registration details for every Converso user.
oh my FUCKING GOD
how can you fail this hard
just how
holy-
1
0
0
Show content
> Phone numbers, registration timestamps, and the identifiers of groups they're in (i.e. who is talking to who).
*chokes*
1
0
0
Show content
1
0
0
Show content
> So private keys are being backed up to Seald's servers, encrypted with user passwords.
(Passwords are user IDs)
@julialuna I swear to god I was just joking, holy fuck, what the fuck
1
0
0
Show content
> "How were you able to decompile the source code of the app and what do you think should be done to protect against that in the future?"
*tired sigh*
1
0
0
Show content
> "May we know what you do and where you are located? Thank you."
mmmyes, mob boss tactics, or simply classist corporate "are you worth our time with your status" brainworm
1
0
0
Show content
> "The vulnerability with Firebase rules have been patched and you are welcome to test it out. The other vulnerability of preset decryption keys has been implemented on our side, we are only waiting to get new credentials so that existing users will be reauthenticated. However, all existing messages sent with the old decryption keys are protected by firebase rules so they still cannot be read by outside parties."
...I, what?
"We have closed the door"
...okay, have you fixed the vulnerabilities? Have you nuked your app and started over? Is this just a "oh shit this must go away" manoeuvre?
Honestly this doesn't astonish me, this gets me super angry, because these fuckers are getting away with it by patching their largest hole while saying that fixed the thousands of leaks in their Swiss cheese ship
I'm just tired, what the fuck
1
0
0
Show content
@AgathaSorceress @julialuna honestly after reading this I'm just so fucking tired
This app gets away with 0 scrutiny while it fails every security practice while doing a backflip, and matrix gets condemned to hell when E2EE is a little weaker than assumed
(And even then, people are working hard to fix that weakness right now, while this app just hides their mistakes)
Jesus fucking Christ, it doesn't even compare, even matrix's security is a thousand times better than this glorified piece of shit, while it gets dumped because it's not perfect enough. Meanwhile this goes through and is recommended to a lot of people through misleading advertisement tactics
I love Capitalism and FOSS culture (not)
0
0
0
Graham Sutherland / Polynomial
gsuberland@chaos.social@AgathaSorceress that sure escalated quickly
0
0
0
Jeff the Alien
hackdefendrFrom the blog:
"A quick look at Seald's homepage answers many questions. Seald is a drop-in SDK for app developers to integrate end-to-end encryption 'into any app in minutes'."
Oh my gawd I am on the floor...!!
0
0
1
Great work
0
1
0