Hacker News new | ask | show | jobs
by problems 3084 days ago
So they didn't bother to check if the add to group message was from someone in the group?

I mean no offense to the developers, but this seems like a fairly basic oversight and quite concerning that respected and popular products didn't get this level of review until now.

No crazy cryptographic mess involving improper ordering of authentication or weird random number generation, this is a simple logic bug. One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.
1 comments
arkadiyt 3084 days ago
> One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.

It wasn't a design flaw, it was an insecure-direct-object-reference implementation flaw. IDORs are extremely common, but since the group id is an unguessable 128 bits, the bug can only be used by someone who was already in the group previously to rejoin the group. I'm sure it'll get patched shortly, if it hasn't been already.

For the WhatsApp case, a malicious WhatsApp server could add someone to your group, but everyone in the group would see it.

These bugs are not big deals. The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.

link
WildGreenLeave 3084 days ago
> The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.

I can understand why you give SMS as an example, because it is just plaintext. But why Telegram? As far as I know Telegram is probably better secured over a service like Whatsapp.

Edit: the latter is an assumption from me, I do not have any claims to back this up. Thats why I'm asking.

link
arkadiyt 3084 days ago
Telegram group messages are not end-to-end encrypted at all, the Telegram service has access to all message content.

Wish you weren't getting downvoted for asking this - asking is how people learn.

link
whyever 3084 days ago
Your assumption is wrong. I fear that articles like this are partially responsible for that.
link
brute 3084 days ago
People are in jail because they felt secure using Telegram. It's the kind of people who should be in jail, but nonetheless it is beyond me how anyone could still use it.
link
baby 3084 days ago
> These bugs are not big deals

Entirely agree here, these are UI/UX bugs sure, but attacks? Come on...

link