Cryptkeeper Linux Encryption App Fails at Job, Has One Letter Skeleton Key - "P"

Status
Not open for further replies.
Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Cryptkeeper Linux Encryption App Fails at Job, Has One Letter Skeleton Key - "P"

Cryptkeeper, famous Linux encryption app, is not as safe as one would like since a bug has been discovered, allowing universal decryption with a single letter: “p.”

The flawed version can be found in Debian 9 (Stretch), which is currently in testing, but not in Debian 8 (Jessie). According to the folks who discovered the bug, it seems that this is a result of Cryptkeeper invoking encfs and attempting to enter paranoia mode. It does this with a simulated “p” keypress but instead of doing that it sets the folder password to this particular letter.

Considering this is a tool that’s supposed to offer people protection by encrypting their files, it’s quite ironic that it could be opened universally with a single letter.

The problem seems to stem from the fact that encfs is executed with –S switch, reading the password from stdin without a particular prompt. Following an encfs bug that prevented it from doing what it was supposed to do, a bugfix was released to correct the procedure. This, in turn, broke Cryptkeeper’s interface, preventing it from doing its job of securing people’s data.

Taking it down
Simon McVittie, Debian developer, advised the dev team to take out Crytkeeper out of the Linux distro completely. “I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results. I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all,” he wrote in a bug report thread.

This seems to be the best course of action since providing people with a tool that does not do its job and, even worse, makes them feel as if they’ve somehow managed to secure their data while leaving it in the open.

While this situation may have caused a few giggles given the irony of the problem, it’s still a serious issue, and we hope to see it fixed.
Click to expand...
 
  • Like
Reactions: aragornnnn and Wave
Status
Not open for further replies.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Red Hat warns of backdoor in XZ tools used by most Linux distros
Replies
3
Views
1,660
Security News
Practical Response
Practical Response
chetuyet.hp
    • Like
Serious Discussion Data encryption software: CPPcryptfs
Replies
1
Views
558
Other security for Windows, Mac, Linux
Bot
Bot
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Security News Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver
Replies
1
Views
1,026
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top