tgirl johnny truant 🏳️⚧️🏳️🌈
AgathaSorceress@technogothic.net
still can't get over this https://crnkovic.dev/testing-converso/
6
11
2
summer truther
schratze@todon.nl@AgathaSorceress I know you're not supposed to attribute to malice what can be explained with incompetence, but
is this a honeypot
it probably isn't, it's probably just your average pile of techbros trying to make money with a few buzzwords and the least amount of work possible
2
0
0
tgirl johnny truant 🏳️⚧️🏳️🌈
AgathaSorceress@technogothic.net@schratze the scary part is allegedly some Important Politicians are recommending this app
0
0
0
> Unfortunately, Converso is not open source and their website is totally silent on cryptographic primitives and protocols
Oh boy *straps in*
2
0
1
tgirl johnny truant 🏳️⚧️🏳️🌈
AgathaSorceress@technogothic.net@ShadowJonathan it gets so so much worse
0
0
0
Charlotte 🦝 
charlotte
@schratze @AgathaSorceress They make very specific claims that are ostensibly not true. Writing the app as it exists in the article is incompetence, marketing it as “more secure than signal” is malice
0
0
14
@AgathaSorceress i want to comment on every one of these turns but there are so many I'll spam you
What the fuck
I'm not even done reading
1
0
1
2
0
1
Charlotte 🦝
charlotte
@ShadowJonathan @AgathaSorceress I especially love how they responded at the end
0
0
10
> Forward secrecy? This doesn't exist.
Smh cancel culture strikes again, forward secrecy is cancelled 😔
1
0
1
@AgathaSorceress why they fuck are they asking 5 dollars a month for an app that supposedly doesn't use servers
2
0
1
de weledelzeergeleerde Hx Anne C.A. "Joe 'p" Baanen, aggressieve mechanisator en effectieve genderaar
Vierkantor@mastodon.vierkantor.com
0
1
0
Show content
> Looks like I accidentally breached Converso's user database. The users collection, which is open to the internet and publicly accessible, contains the registration details for every Converso user.
oh my FUCKING GOD
how can you fail this hard
just how
holy-
1
0
1
de weledelzeergeleerde Hx Anne C.A. "Joe 'p" Baanen, aggressieve mechanisator en effectieve genderaar
Vierkantor@mastodon.vierkantor.com
@ShadowJonathan @AgathaSorceress i love how they claim to store no metadata but can also determine how many messages you sent
0
0
0
Show content
> Phone numbers, registration timestamps, and the identifiers of groups they're in (i.e. who is talking to who).
*chokes*
1
0
1
Show content
1
0
1
Show content
> So private keys are being backed up to Seald's servers, encrypted with user passwords.
(Passwords are user IDs)
@julialuna I swear to god I was just joking, holy fuck, what the fuck
2
0
1
Show content
@ShadowJonathan @AgathaSorceress @julialuna oh it GETS WORSE FAR WORSE
1
0
0
Show content
@erincandescent @AgathaSorceress @julialuna HOW CAN IT GET WORSE THAN THIS
1
0
0
Show content
> "How were you able to decompile the source code of the app and what do you think should be done to protect against that in the future?"
*tired sigh*
2
0
1
julia, doer of nap
julialuna@chaos.socialShow content
@ShadowJonathan @AgathaSorceress yea that part killed me
it just shows the extreme levels of techbro ignorance
0
0
0
Show content
> "May we know what you do and where you are located? Thank you."
mmmyes, mob boss tactics, or simply classist corporate "are you worth our time with your status" brainworm
1
0
1
Show content
> "The vulnerability with Firebase rules have been patched and you are welcome to test it out. The other vulnerability of preset decryption keys has been implemented on our side, we are only waiting to get new credentials so that existing users will be reauthenticated. However, all existing messages sent with the old decryption keys are protected by firebase rules so they still cannot be read by outside parties."
...I, what?
"We have closed the door"
...okay, have you fixed the vulnerabilities? Have you nuked your app and started over? Is this just a "oh shit this must go away" manoeuvre?
Honestly this doesn't astonish me, this gets me super angry, because these fuckers are getting away with it by patching their largest hole while saying that fixed the thousands of leaks in their Swiss cheese ship
I'm just tired, what the fuck
1
0
1
@AgathaSorceress every section just got unimaginably worse
0
1
0
Show content
@AgathaSorceress @julialuna honestly after reading this I'm just so fucking tired
This app gets away with 0 scrutiny while it fails every security practice while doing a backflip, and matrix gets condemned to hell when E2EE is a little weaker than assumed
(And even then, people are working hard to fix that weakness right now, while this app just hides their mistakes)
Jesus fucking Christ, it doesn't even compare, even matrix's security is a thousand times better than this glorified piece of shit, while it gets dumped because it's not perfect enough. Meanwhile this goes through and is recommended to a lot of people through misleading advertisement tactics
I love Capitalism and FOSS culture (not)
0
0
1
kimothy siddon
kim@k.iim.gay@AgathaSorceress literally every step somehow revealed something worse. this is both hilarious and awful
0
0
0
@AgathaSorceress i figured I was in for a ride when you put that screenshot from their About page touting transparency near the top of your article, but great googly moogly that escalated quickly.
1
0
0
Show content
@ShadowJonathan @AgathaSorceress @julialuna THE APP DOESN'T HAVE PASSWORDS
IT USES YOUR USERNAME AS YOUR PASSWORD
1
0
0
Show content
@ShadowJonathan @AgathaSorceress @julialuna oh wait I missed the parenthetical in your original post!
0
0
0