Critical Bug In Libotr Opens Users of ChatSecure, Adium, Pidgin To Compromise (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Critical Bug In Libotr Opens Users of ChatSecure, Adium, Pidgin To Compromise (helpnetsecurity.com)

Posted by timothy on Friday March 11, 2016 @11:02PM from the knowing-is-half-the-aaaaauuuuggghhh dept.

An anonymous reader writes with a report at HelpNet Security that A vulnerability in "libotr," the C code implementation of the Off-the-Record (OTR) protocol that is used in many secure instant messengers such as ChatSecure, Pidgin, Adium and Kopete, could be exploited by attackers to crash an app using libotr or execute remote code on the user's machine.

25 comments

Min score:

Reason:

Sort:

Curious by campuscodi · 2016-03-11 23:32 · Score: 1, Interesting

Does anyone still use these?
1. Re:Curious by Anonymous Coward · 2016-03-11 23:53 · Score: 1
  
  Enlighten me, what should one be using to chat securely these days?
2. Re:Curious by Wowsers · 2016-03-12 00:09 · Score: 2
  
  Sneakernet.
  
  --
  Take Nobody's Word For It.
3. Re:Curious by Anonymous Coward · 2016-03-12 00:11 · Score: 0
  
  Camouflaged carrier pigeons are the future.
4. re: Curious by Anonymous Coward · 2016-03-12 00:12 · Score: 0
  
  Years ago I was alarmed at the frequency of critical security updates for Pidgin-related crap that I don't use, so I added the following to my Ubuntu fresh-install script:
  # apt-get purge -y libpurple*
5. Re:Curious by Dutch+Gun · 2016-03-12 00:21 · Score: 2
  
  Enlighten me, what should one be using to chat securely these days?
  I'd probably use Threema, as it has a trust-no-one model in which the most secure level (of the three available) requires personally exchanging keys with the target recipient. The company is also based in Switzerland, which, sadly, makes it a hell of a lot more secure by default than any US-based company, as we're quickly finding out with this pending Apple / FBI case.
  That being said, I *don't* actually need secure chat, so I just use SMS or e-mail, which should be considered about as secure as a postcard.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
6. Re:Curious by Anonymous Coward · 2016-03-12 00:24 · Score: 0
  
  How about an iPhone? /ducks
7. Re:Curious by Anonymous Coward · 2016-03-12 00:51 · Score: 0
  
  For Android and iPhone, Signal seems good. It uses end-to-end encryption, detects man-in-the-middle attacks, and is open source (GPL). It also uses regular phone numbers to identify users, so if you already have your friends numbers in your contact list and they've installed Signal, you can call/text them without exchanging any new contact information.
8. Re:Curious by Anonymous Coward · 2016-03-12 01:12 · Score: 0
  
  How about for people with a real input device, like a keyboard?
9. Re: Curious by Anonymous Coward · 2016-03-12 01:14 · Score: 0
  
  It's no surprise; Jacob "I need your attention" Applebaum is a shit app-sec developer.
10. Re:Curious by Anonymous Coward · 2016-03-12 02:04 · Score: 0
  
  It works fine with my blutooth keyboard on my Android device.
11. Re:Curious by Anonymous Coward · 2016-03-12 02:12 · Score: 0
  
  Well, they're working on Signal Desktop, but it's currently in beta.
12. Re:Curious by Anonymous Coward · 2016-03-12 02:27 · Score: 0
  
  Yeah - it doesn't care wjat input device you use. Onscreen or physical kbd works ok.
13. Re:Curious by shione · 2016-03-12 03:11 · Score: 2
  
  I like telegram ( https://telegram.org/ ) . It gets a 7 on EFF ( https://www.eff.org/node/83766 ) and has clients on android/ios/windows/mac/linux and even on winblows phone that nobody uses
14. Re:Curious by thegoldenear · 2016-03-12 04:44 · Score: 2
  
  Moxie Marlinspike - 'A Crypto Challenge For The Telegram Developers':
  http://thoughtcrime.org/blog/t...
  Pete Boyd
15. Re:Curious by Anonymous Coward · 2016-03-12 06:11 · Score: 0
  
  Looks like a 6 to me.
16. Re:Curious by KGIII · 2016-03-12 07:15 · Score: 1
  
  qTox.
  https://tox.chat/clients.html
  I do use a Windows phone, by the way. A /.er recommended it so I tried it and I'm pretty happy. I don't use Windows on my computer but I kind of like it on my phone. Contrary to popular opinion - there are apps available. There just aren't a few hundred thousand repeats of the same apps. I do everything that I can possibly want to do on my phone. I'm pretty happy with it and it's really quite snappy even though it's not as powerful as some of the other phones that I've owned.
  At any rate, there are a bunch of clients for Tox. There is not one for Windows phone. It's end-to-end encrypted, it's decentralized, it's basically all the features that one probably wants such as video, groups, conference, text, voice (of course), and all that stuff. It's not bad. I've played with it a few times. It's not resource intensive even though it's encrypted. I dare say it's pretty good, actually. I'm not sure that I really need a chat client or anything but it's installed and I've used it a few times. It's still (seemingly) a worthy project.
  Here are the FAQs:
  https://tox.chat/faq.html
  I am not associated in any way with the project unless one counts donating to the project.
  
  --
  "So long and thanks for all the fish."
17. Re:Curious by Anonymous Coward · 2016-03-12 07:51 · Score: 0
  
  No, being based in Europe does not make it more secure or inviolable by government policies. In the US, we hear all the bru-haha because people are paranoid about the government. In Europe, people believe the government is doing the best to protect them, and violations of his nature would happen without you even being aware of (even if you did, the people would be perfectly content with it, knowing it's for the "common good")
18. Re:Curious by Anonymous Coward · 2016-03-12 08:08 · Score: 0
  
  I use and know a lot of people who use Pidgin+OTR. About a dozen of us in my office use it all day, and almost everyone I talked to on AOL in the 90s and AIM in the 00s I've gotten them to switch to Pidgin+OTR years ago. Say what you will about AOL, but one thing they did right is to stop fucking with the Oscar protocol and start playing nice with third-party clients.
19. Re:Curious by Anonymous Coward · 2016-03-12 08:17 · Score: 0
  
  They rate it a 6, not a 7.....
20. Re:Curious by shione · 2016-03-14 18:08 · Score: 1
  
  Yea, sorry it's a 6. typo :)
21. Re:Curious by shione · 2016-03-14 18:13 · Score: 1
  
  Thats interesting. I notice it is from a few years back. I take it the developers of telegram ignored them about it?
history of rocks in our heads by Anonymous Coward · 2016-03-12 00:23 · Score: 0

other stuff https://youtu.be/ISmgOrhELXs .. the final curtain https://www.youtube.com/watch?v=oiAuXRK3Ogk