Signin Signup

Severe security issues: hardcoded encryption key + IV value

If I am reading this right, the encryption key and initialization vector for the end-to-end encryption is hardcoded into the app, and is not random at all.

var SK = []byte("696D897C9AA0611B")

in the source code right here and this issue in the code right here:

cbc := cipher.NewCBCEncrypter(block, []byte("RandomInitVector"))

It is a fixed string "RandomInitVector" converted to a byte slice, not an actual random value, meaning there's no guess work involved, since the answer is right above.

The encryption seems completely defective and irrelevant. Not great especially coming from a Chinese app. Maybe don't use it for political writing, China is not a free country haha

    1 Operate
    SternCat updated this article at 2025-04-10 07:37:59
    1 Operate
    5 Reply
    3
    279 44 2 15 213

    Related articles

    5 Reply
    Severe security issues: hardcoded encryption key + IV value

    Welcome to here!

    Here we can learn from each other how to use SiYuan, give feedback and suggestions, and build SiYuan together.

    Signup About
    Please input reply content ...
    • SternCat 1
      VIP Warrior Author

      I reviewed the code and it seems you proved me wrong in my initial assessment. Good job

    • MiscReply
    • SternCat 1 Comment
      VIP Warrior Author

      It's so bad it feels like a backdoor... in a Chinese product?!?! No way that would never happen :P

      1 Reply
      You don't understand the code logic yourself but just blurt out nonsense. Pretending to know when you don't and throwing around accusations is extremely ridiculous. First, you should brush up on your knowledge.
      congsec
    • 88250 2 3 Up
      MOD

      Hello, I suggest you look at the place where the encryption function is called, and you will find that it is not an end-to-end encryption key.

      The implementation of end-to-end encryption is here, the implementation of key initialization is here.

      Real open source products are trustworthy, even if they are "Made in China" :)

    • SternCat
      VIP Warrior Author

      Matrix is not at all privacy focused, it leaks metadata, has state resolution issues, and is a metadata disaster.

      Instead of complaining about the various phobias like a social justice warrior, you could spend your time auditing the code.

    • Visit all replies
    SternCat
    Reply
    7
     Article
    3
     Point
    718

    Recent hot