You’re taking the p… Linux encryption app Cryptkeeper has universal password: ‘p’

You’re taking the p… Linux encryption app Cryptkeeper has universal password: ‘p’

3050
0

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: “p”.
The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress – instead, it sets passwords for folders to just that letter.
Cryptkeeper’s developer appears to have abandoned the project. Luckily, it’s not used by that many people – although it makes the bug no less tragically hilarious.
However, encfs is executed with the -S switch which means it’s supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn’t quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper’s assumptions.
So that’s why Cryptkeeper sets all its directory passwords to “p”: encfs was updated and that broke Cryptkeeper’s interface.
Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

Source: https://www.theregister.co.uk/2017/01/31/cryptkeeper_cooked/
Submitted by: Arnfried Walbrecht

NO COMMENTS

Comments are closed.