Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://furry.engineer/users/soatok/statuses/114381204476366592">Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:14 JST</a><a href="https://furry.engineer/@soatok" title="soatok@furry.engineer"><img src="https://gnusocial.jp/avatar/34725-48-20230823231406.webp" width="48" height="48" alt="Soatok Dreamseeker" style="position: absolute; left: 0; top: 0;">Soatok Dreamseeker</a><div><a href="https://furry.engineer/@soatok/114381153419807399" rel="in-reply-to">in reply to</a></div></section><article><p>Since it's all React.JS, I did the lazy thing: Looked in the assets directory for JavaScript files.</p><p>Success: assets/threads/Threads/encrypt.bundle and assets/threads/Threads/decrypt.bundle.</p><p>Unfortunately, this is just crypto-browserify and some other React libraries webpacked together.</p><p>It's full of side-channels and it's not clear which components are relevant.</p><p>Like, their ghash implementation (used by AES-GCM, which their decrypter uses) uses the &amp;&amp; operation after comparing each bit of the state against 0, which short-circuits the right hand side. This introduces a timing side-channel that loudly exposes the entire GHASH state at any given point of time.</p><p>They also implemented AES with S-boxes in pure JavaScript (no bitslicing), which adds a cache-timing leak. Yay.</p><p>Their PKCS7 padding removal step for AES-CBC (which appears to be used for key-wrapping) also maximizes the timing leakage.</p><p>Suffice to say, the only cryptographic primitives I can find in their app are not recommended.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4933483#notice-9666143">In conversation</a><time datetime="2025-04-22T21:27:14+09:00" title="Tuesday, 22-Apr-2025 21:27:14 JST">about 2 months ago</time> <span>from <span><a href="https://furry.engineer/@soatok/114381204476366592" rel="external" title="Sent from furry.engineer via ActivityPub">furry.engineer</a></span></span><a href="https://furry.engineer/@soatok/114381204476366592">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://together.It/">http://together.It/</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:14 JST Soatok Dreamseeker
in reply to
Since it's all React.JS, I did the lazy thing: Looked in the assets directory for JavaScript files.
Success: assets/threads/Threads/encrypt.bundle and assets/threads/Threads/decrypt.bundle.
Unfortunately, this is just crypto-browserify and some other React libraries webpacked together.
It's full of side-channels and it's not clear which components are relevant.
Like, their ghash implementation (used by AES-GCM, which their decrypter uses) uses the && operation after comparing each bit of the state against 0, which short-circuits the right hand side. This introduces a timing side-channel that loudly exposes the entire GHASH state at any given point of time.
They also implemented AES with S-boxes in pure JavaScript (no bitslicing), which adds a cache-timing leak. Yay.
Their PKCS7 padding removal step for AES-CBC (which appears to be used for key-wrapping) also maximizes the timing leakage.
Suffice to say, the only cryptographic primitives I can find in their app are not recommended.
In conversationabout 2 months ago from furry.engineerpermalink
Attachments
1. No result found on File_thumbnail lookup.
  http://together.It/

Public

Embed Notice

HTML Code

Corresponding Notice