Bug forced P2P log store to leak encrypted comms

SSB-Server security vulnerability reveals content of private messages

A vulnerability in SSB-Server, the Node.js implementation of Secure Scuttlebutt (SSB), enabled malicious actors to decrypt and access private information. The ‘high severity’ bug was patched earlier this week.

Scuttlebutt is a peer-to-peer information exchange protocol that enables users to set up messaging and social networks without the need for a centralized server.

Each user installs SSB-Server and publishes posts on their feed. SSB-Server installations find each other on local networks and allow users to follow and replicate each other’s feeds on their computer.

Scuttlebutt uses public key cryptography to identify users and enable the exchange of private, end-to-end encrypted messages.

Private messages

The vulnerability, found in the SSB-DB, the component that provides the APIs to read and write messages to the Scuttlebutt server, forced SSB to reveal encrypted messages.

“This means that it’s returning the decrypted content of private messages, which a malicious peer could use to get access to private data,” an advisory posted on GitHub reads.

The bug was caused by one of the modifications introduced in SSB-DB version 20.0.0. According to the advisory, “there is no evidence that other SSB apps are vulnerable or that this problem has been exploited in the wild,” though it is hard to track the use of peer-to-peer apps, given their decentralized nature.

Read more of the latest open source software security news

“The one data point that makes me optimistic is that this change was caught before the dependency was used in any of the ‘flagship’ apps that people use, and the one application that did use the vulnerable dependency (SSB-Server) was released quietly and with a major version bump,” Christian Bundy, one of the maintainers of Scuttlebutt, told The Daily Swig.

Bundy did admit, however, that it would be difficult to track the bug’s exploitation. “If an attacker was watching SSB-DB commits and they caught the bug before we did, we wouldn’t have a way to observe their attacks unless they attacked us,” he said.

Double-edged sword

The peer-to-peer nature of Scuttlebutt provides a measure of protection against unknown actors.

“The networking layer only connects to people that you explicitly ‘follow’, so we’re lucky to have this network of trusted peers by default,” Bundy said.

“Connecting to your friends is a double-edged sword, since they’re (probably?) less likely to launch an attack against you, but having a friend read your private messages is (probably?) worse than having a random internet stranger read your messages.”

All users should upgrade to SSB-DB v20.0.1 (bundled with SSB-Server 16.0.1) immediately.

READ MORE GraphQL Playground devs patch longstanding XSS vulnerability