So, like...
OMEMO v0.3 has a pretty fucking obvious issue similar to what I found in Threema.
You're forced to use AES-GCM in a way that makes Invisible Salamanders a trivial exploit to pull off.
https://github.com/soatok/gcm-exploit
I'm not going to bother with an embargo for this. This specific protocol and design problem is not present in newer versions of their spec. Unfortunately, I can't find any implementations that use the updated spec!
Conversations is impacted.
Gajim is impacted.
Et cetera.
> Is this 0day?
Probably not to the spec authors, but to the implementation developers? Maybe.
This is why you don't roll your own crypto.
Also, Conversations uses Java's Base64 class to decode private keys, which is susceptible to cache-timing attacks: https://codeberg.org/iNPUTmice/Conversations/src/branch/master/src/main/java/eu/siacs/conversations/crypto/axolotl/XmppAxolotlMessage.java#L63
See this paper: https://arxiv.org/abs/2108.04600
That one is *definitely* a 0day.
#XMPP #OMEMO #infosec #crypto #0day #vulnerability