Deflating the hype around Minds.com.
Hype has been building over the past week around a new social network called Minds, after some members of Anonymous allegedly endorsed the product due to its focus on privacy and open source philosophy.
Now, researchers have disclosed several problems with the app, including that it uses its own version of weak encryption.
Minds is essentially an open source Facebook. It looks very much like the social media site, but also has elements of Reddit, with an emphasis on up-voting posts. Users earn points for interacting with and commenting on content, as well as uploading their own.
"We are a free and open-source platform to launch your digital brand, social network and mobile app," the creators explain on the project's website.
The app also allows "private, encrypted chats with friends and colleagues," according to its listing on the Google Play Store.
Yesterday Scott Arciszewski, an application security consultant for Paragon Initiative Enterprises, posted a series of problems with Minds onto the Full Disclosure Mailing List, a space used by researchers to publish vulnerabilities they discover.
The first is that the Minds client apparently "blindly accepts" whatever encryption key the Minds server provides without running through any sort of identification verification, Arciszewski told Motherboard in an email.
"That's less of a vulnerability and more of a fatal design flaw," he said. "The consequence is that the server can, on its whim, give a fake public key for the person you are communicating with and read all of your messages if it chose to do so."
So, according to Arciszewski, if an attacker managed to compromise the Minds server, they could then eavesdrop on any future conversations by providing their own key, rather than the ones of the users trying to communicate with each other.
The second problem is that Minds is using its own weak cryptography protocol, Arciszewski said.
This actually isn't the first set of issues to be disclosed about Minds. Last week Voidsec, a security company, claimed that it was possible to delete any message or edit the profile of any user, as well as upload arbitrary files to the service.
Mark Harding, Minds' CTO, denied that the problems highlighted by Arciszewski existed, and said that "there appears to be an aggressive scaremongering campaign being coordinated" against the company. He said that the supposed man-in-the-middle attack, the first problem outlined by Arciszewski, was "not possible."
Minds CEO Bill Ottman did admit that some issues shown by Voidsec to the company privately were legitimate, and that Minds resolved them. Ottman defended the encryption that the app uses, however. "People can criticize and will, but until they crack the encryption it stands for itself," he said.
"The encryption is definitely weak," Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute, told Motherboard in an email, although he clarified that it wasn't necessarily exploitable. However, "I am not optimistic that they got it right," he said.
Take this a reminder that even when a service claiming to protect your privacy gains media attention, it's worth waiting to hear what experts have to say about it.