Signin Signup

Severe security issues: hardcoded encryption key + IV value

If I am reading this right, the encryption key and initialization vector for the end-to-end encryption is hardcoded into the app, and is not random at all.

var SK = []byte("696D897C9AA0611B")

in the source code right here and this issue in the code right here:

cbc := cipher.NewCBCEncrypter(block, []byte("RandomInitVector"))

It is a fixed string "RandomInitVector" converted to a byte slice, not an actual random value, meaning there's no guess work involved, since the answer is right above.

The encryption seems completely defective and irrelevant. Not great especially coming from a Chinese app. Maybe don't use it for political writing, China is not a free country haha

    1 Operate
    SternCat updated this article at 2025-04-10 07:37:59
    1 Operate
    5 Reply
    3
    278 44 2 15 212

    Related articles

    5 Reply
    Severe security issues: hardcoded encryption key + IV value

    Welcome to here!

    Here we can learn from each other how to use SiYuan, give feedback and suggestions, and build SiYuan together.

    Signup About
    Please input reply content ...
    • 88250 2 3 Up
      MOD

      Hello, I suggest you look at the place where the encryption function is called, and you will find that it is not an end-to-end encryption key.

      The implementation of end-to-end encryption is here, the implementation of key initialization is here.

      Real open source products are trustworthy, even if they are "Made in China" :)

    • MiscReply
    • SternCat 1 Comment via Linux
      VIP Warrior Author

      It's so bad it feels like a backdoor... in a Chinese product?!?! No way that would never happen :P

      1 Reply
      You don't understand the code logic yourself but just blurt out nonsense. Pretending to know when you don't and throwing around accusations is extremely ridiculous. First, you should brush up on your knowledge.
      congsec
    • SternCat 1 via Linux
      VIP Warrior Author

      I reviewed the code and it seems you proved me wrong in my initial assessment. Good job

    • kxra 1 via Linux

      a backdoor... in a Chinese product?!?! No way that would never happen :P

      Western double-standards and sinophobia are wild (i used to do it too)…lacking any self-awareness that all our domestic discourse is shaped by the handfull of media conglomerates parroting [new] cold-war propaganda on behalf of their war-profiteering owners.

      Anyways, very glad this project exists, as it is the closest to what I think would be the perfect notes & collaborative knowledge base application. It only lacks a local-first approach backed by a CRDT on top of a decentralized communication standard (such as matrix—a graph database synchronization protocol—combined with Peritext).

      I wrote up more fully what I imagine here:

      https://connect.mozilla.org/t5/ideas/%F0%9D%97%9C%F0%9D%97%BB%F0%9D%97%B3%F0%9D%97%BF%F0%9D%97%AE%F0%9D%97%AA%F0%9D%97%B2%F0%9D%97%AF-turn-tabs-bookmarks-and-notes-into-a-semantic-network/idi-p/37391

      1 Reply
    • Visit all replies
    SternCat
    Reply
    7
     Article
    3
     Point
    718

    Recent hot