Vulnerable Invisible Salamanders and You: A Tale of Encryption Weakness

Vulnerable Invisible Salamanders and You: A Tale of Encryption Weakness
A Black Hat presentation will discuss how vulnerabilities found in Facebook Messenger encryption could mean trouble for your secure messages.

(Image by Monika, via Adobe Stock)



 

When a researcher begins looking for a vulnerability, going for the invisible is good -- and if you can find something visible in the biggest social media platform on earth, so much the better. That's what Paul Grubbs, a Ph.D. candidate in computer science did when he began exploring abuse of the reporting protocol used for Facebook "secret conversations."


Grubbs says that, internally, Facebook calls the messages within Messenger "salamanders." The secret messages were those related to Facebook's abuse reporting system, which could become lost within the Messenger stream. The vulnerability he found revolved around these salamanders that became invisible through a cryptographic flaw. And, he and others discovered, invisible salamanders weren't limited to Facebook.


Grubbs points out that true cryptographic flaws are quite uncommon. Instead, according to a maxim in the cryptographic world, "Cryptography is never actually broken in practice, it's always bypassed," he says, adding, "And I find that that's generally pretty true. Genuine cryptographic flaws are comparatively rare."


In the case of the invisible salamander vulnerability, the encryption algorithm itself is vulnerable, and Grubbs says that the mathematics required to exploit the vulnerability are relatively simple. How simple? "I will say that somebody with most of an undergraduate degree in mathematics can can do these attacks and understand them," Grubbs says.


While it's important, Grubbs says, to understand the principles behind modern encryption methods, it's more important for security professionals to be wary of t ..

Support the originator by clicking the read the rest link below.