A very popular hit when googling "encrypted chat"... I took a look and there were several problems. Everything is served through HTTP, including the crypto javascript. An attacker who can MITM can send malicious javascript that simply does not encrypt. It pings the service every 500 ms with the room and username you are using in plaintext. Tbh I stopped looking at that point, but there's no mention of an integrity check or authenticity check either, which is essential for AES communication. Even if SSL is enabled, the server can still be hacked or just be evil and serve malicious javascript if that does get fixed, but nothing new there. cheers, Johan
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/