Conversation

tgirl johnny truant 🏳️‍⚧️🏳️‍🌈

still can't get over this https://crnkovic.dev/testing-converso/

6
10
2

@AgathaSorceress I know you're not supposed to attribute to malice what can be explained with incompetence, but

is this a honeypot

it probably isn't, it's probably just your average pile of techbros trying to make money with a few buzzwords and the least amount of work possible

2
0
0

@schratze the scary part is allegedly some Important Politicians are recommending this app

0
0
0

@AgathaSorceress

> Unfortunately, Converso is not open source and their website is totally silent on cryptographic primitives and protocols

Oh boy *straps in*

2
0
1

@ShadowJonathan it gets so so much worse

0
0
0

@schratze @AgathaSorceress They make very specific claims that are ostensibly not true. Writing the app as it exists in the article is incompetence, marketing it as “more secure than signal” is malice

0
0
14

@AgathaSorceress i want to comment on every one of these turns but there are so many I'll spam you

What the fuck

I'm not even done reading

1
0
1

@AgathaSorceress okay so they're basically just lying

Wow

Very nice

2
0
1

@ShadowJonathan @AgathaSorceress I especially love how they responded at the end

0
0
10

@AgathaSorceress

> Forward secrecy? This doesn't exist.

Smh cancel culture strikes again, forward secrecy is cancelled 😔

1
0
1

@AgathaSorceress why they fuck are they asking 5 dollars a month for an app that supposedly doesn't use servers

2
0
1
spoilers
Show content

@AgathaSorceress

> Looks like I accidentally breached Converso's user database. The users collection, which is open to the internet and publicly accessible, contains the registration details for every Converso user.

oh my FUCKING GOD

how can you fail this hard

just how

holy-

1
0
1

@ShadowJonathan @AgathaSorceress i love how they claim to store no metadata but can also determine how many messages you sent

0
0
0
re: spoilers
Show content

@AgathaSorceress

> Phone numbers, registration timestamps, and the identifiers of groups they're in (i.e. who is talking to who).

*chokes*

1
0
1
re: spoilers
Show content

@AgathaSorceress

> selfDestruct: <time-to-live>, // optional

this HAS to be a joke

1
0
1
re: spoilers
Show content

@AgathaSorceress

> So private keys are being backed up to Seald's servers, encrypted with user passwords.

(Passwords are user IDs)

@julialuna I swear to god I was just joking, holy fuck, what the fuck

2
0
1
re: spoilers
Show content

@erincandescent @AgathaSorceress @julialuna HOW CAN IT GET WORSE THAN THIS

1
0
0
re: spoilers
Show content

@AgathaSorceress @julialuna

> "How were you able to decompile the source code of the app and what do you think should be done to protect against that in the future?"

*tired sigh*

2
0
1
re: spoilers
Show content

@ShadowJonathan @AgathaSorceress yea that part killed me
it just shows the extreme levels of techbro ignorance

0
0
0
re: spoilers
Show content

@AgathaSorceress @julialuna

> "May we know what you do and where you are located? Thank you."

mmmyes, mob boss tactics, or simply classist corporate "are you worth our time with your status" brainworm

1
0
1
re: spoilers
Show content

@AgathaSorceress @julialuna

> "The vulnerability with Firebase rules have been patched and you are welcome to test it out. The other vulnerability of preset decryption keys has been implemented on our side, we are only waiting to get new credentials so that existing users will be reauthenticated. However, all existing messages sent with the old decryption keys are protected by firebase rules so they still cannot be read by outside parties."

...I, what?

"We have closed the door"

...okay, have you fixed the vulnerabilities? Have you nuked your app and started over? Is this just a "oh shit this must go away" manoeuvre?

Honestly this doesn't astonish me, this gets me super angry, because these fuckers are getting away with it by patching their largest hole while saying that fixed the thousands of leaks in their Swiss cheese ship

I'm just tired, what the fuck

1
0
1
re: spoilers
Show content

@AgathaSorceress @julialuna honestly after reading this I'm just so fucking tired

This app gets away with 0 scrutiny while it fails every security practice while doing a backflip, and matrix gets condemned to hell when E2EE is a little weaker than assumed

(And even then, people are working hard to fix that weakness right now, while this app just hides their mistakes)

Jesus fucking Christ, it doesn't even compare, even matrix's security is a thousand times better than this glorified piece of shit, while it gets dumped because it's not perfect enough. Meanwhile this goes through and is recommended to a lot of people through misleading advertisement tactics

I love Capitalism and FOSS culture (not)

0
0
1

@AgathaSorceress literally every step somehow revealed something worse. this is both hilarious and awful

0
0
0

@AgathaSorceress i figured I was in for a ride when you put that screenshot from their About page touting transparency near the top of your article, but great googly moogly that escalated quickly.

1
0
0

@alahmnat not my article

0
0
0
re: spoilers
Show content

@ShadowJonathan @AgathaSorceress @julialuna THE APP DOESN'T HAVE PASSWORDS

IT USES YOUR USERNAME AS YOUR PASSWORD

1
0
0
re: spoilers
Show content

@ShadowJonathan @AgathaSorceress @julialuna oh wait I missed the parenthetical in your original post!

0
0
0