The imperfection of cryptography calls into question the security of user data.
A recent study by Citizen Lab found vulnerabilities in the networks of China's most popular messaging app, WeChat. The program, which has more than a billion monthly users, uses the proprietary MMTLS protocol, which is weaker than the TLS 1.3 standard from which it was modified.
The analysis showed that WeChat uses non-standard encryption known as MMTLS, which contains several cryptographic flaws at once. One of them is the use of predictable initialization vectors (IVs), which can lead to the recovery of encryption keys and the disclosure of sensitive information. In addition, WeChat does not support Forward Secrecy, which makes it possible to decrypt past data in the event of a key breach.
The researchers noted that previous versions of WeChat relied on an even less secure encryption protocol, which, by the way, is still partially used even in modern versions of the messenger. This raises questions about the security of user data, despite the lack of attacks that could completely break the application's encryption.
WeChat's developers use their own encryption system, which is a common practice in Chinese apps. However, these systems are often less reliable than proven international standards such as TLS.
Researchers have released tools for analyzing WeChat traffic that will help in further studying the security of the app. The move is intended to incentivize developers and cybersecurity professionals to improve the encryption and protection of user data.
Source
A recent study by Citizen Lab found vulnerabilities in the networks of China's most popular messaging app, WeChat. The program, which has more than a billion monthly users, uses the proprietary MMTLS protocol, which is weaker than the TLS 1.3 standard from which it was modified.
The analysis showed that WeChat uses non-standard encryption known as MMTLS, which contains several cryptographic flaws at once. One of them is the use of predictable initialization vectors (IVs), which can lead to the recovery of encryption keys and the disclosure of sensitive information. In addition, WeChat does not support Forward Secrecy, which makes it possible to decrypt past data in the event of a key breach.
The researchers noted that previous versions of WeChat relied on an even less secure encryption protocol, which, by the way, is still partially used even in modern versions of the messenger. This raises questions about the security of user data, despite the lack of attacks that could completely break the application's encryption.
WeChat's developers use their own encryption system, which is a common practice in Chinese apps. However, these systems are often less reliable than proven international standards such as TLS.
Researchers have released tools for analyzing WeChat traffic that will help in further studying the security of the app. The move is intended to incentivize developers and cybersecurity professionals to improve the encryption and protection of user data.
Source
