Ricochet is an open-source project to allow private and anonymous instant messaging.
Ricochet and the Open Technology Fund engaged NCC Group to perform an assessment of the Ricochet anonymous
messaging application. Two NCC Group consultants performed the assessment between November 16th and 25th, 2016. The engagement was conducted as a source code review with a focus on identifying common C++ vulnerabilities, privacy influencing vulnerabilities, as well as to provide recommendations based on security gaps vs best practices.
Ricochet expressed particular interest in the discovery of vulnerabilities that, if exploited, could lead to the deanonymization or exploitation of Ricochet users. NCC Group focused its testing efforts on attempting to find vulnerabilities with these impacts.
The assessment identified multiple areas of improvement that include one issue given a High risk rating. Many of the findings are provided as a defense-in-depth approach for developers to continue to focus their effort. The source code
assessment identified input validation issues that were already known to the developer, and have issues filed in GitHub.
The full security assessment can be found below.