NCC Audit Results [WIP]

The NCCGroup completed a security assessment of Ricochet, completed on February 15th, 2016. The full audit can be viewed here: (https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf).

The purpose of this wiki page is to view the list of vulnerabilities and recommended changes to the Ricochet code, and their corresponding issues/pull requests on the Ricochet GitHub.

The Ricochet audit found a total of 8 issues: 0 critical, 1 high risk, 1 medium risk, 0 low risk, and 6 informational. Both of the high risk and medium risk issues were related to data validation, while cryptography and data exposure only contained informational level issues.

Vulnerability Details

1. Insufficient Validation in ContactRequest Allows De-Anonymization
   Risk: High (Impact: High, Exploitability: Medium)
   Category: Data Validation
   Status: Fixed (https://github.com/ricochet-im/ricochet/pull/313)

2. Links May Contain Malicious Unicode Characters
   Risk: Medium (Impact: Medium, Exploitability: Medium)
   Category: Data Validation
   Status: ??WIP (https://github.com/ricochet-im/ricochet/pull/302)??

3. Unnecessary Use of HMAC
   Risk: Informational (Impact: High, Exploitability: Low)
   Category: Cryptography
   Status: ??

4. Access To Local Socket Can Steal 32-Byte Files
   Risk: Informational (Impact: Low, Exploitability: Low)
   Category: Data Exposure
   Status: ??

5. Host Verification Weak Against State Level Adversaries
   Risk: Informational (Impact: High, Exploitability: Low)
   Category: Cryptography
   Status: Dependent on Tor increasing their security of hidden services, WIP (Find link to Tor's work?)

6. Lack of Application Layer Message Encryption
   Risk: Informational (Impact: Medium, Exploitability: Low)
   Category: Cryptography
   Status: WIP (https://github.com/ricochet-im/ricochet/issues/72)

7. Unexploitable Buffer Overread in CryptoKey::loadFromData
   Risk: Informational (Impact: High, Exploitability: None)
   Category: Data Validation
   Status: Has this code been removed yet?

8. Configuration/Metadata Files Stored on Disk Unencrypted
   Risk: Informational (Impact: Low, Exploitability: Low)
   Category Data Exposure
   Status WIP (https://github.com/ricochet-im/ricochet/issues/33)