Cyph is a revolutionary new secure messenger, created to defend the world from mass surveillance.
This penetration test and source code audit against the Cyph codebase and infrastructure was carried out by five testers of the Cure53 team. It took twelve days total to complete and yielded an overall of nine security vulnerabilities, as well as four general weaknesses. Several of the identified issues were classified to be of critical severity. This is due to the fact an attacker could misuse these areas to compromise a server which is of key importance for some features of the project. This means a capability to hinder operational and functional value of the entire tool. It needs to be noted, however, that three of the security vulnerabilities mentioned in this report (and that includes all of the so called “criticals”) were resulting from the usage of an insecure third-party software, namely the TURN server project “Coturn”.
The tests covered various aspects of application- and server-security, investigated cryptographic implementations, and addressed browser security encompassing web crypto, service workers and the Cyph-specific usage of the location.hash property. Several of the libraries employed by Cyph were also analyzed. In addition to the full set of source code availability, the testers had access to a live version of the application and a dedicated VM that was created during the test for debugging purposes.
The full audit and summary of findings can be found below.