UPDATE:
A few days ago we received an e-mail from a security hacker who claimed to hack our service and was able to obtain our users messages. Please see the e-mail correspondence between us & the hacker.
QUOTE:
-------- Original Message --------
Subject: Re: About Vultureabilites
From: Hacker--e-mail removed
Date: Tue, November 11, 2014 5:55 am
To: development(at)nxtty.com
Hı as i told, i prepared all vultures and proofs. All details and explains is attached .
Overview and after decide ; that informations is usefull or not , which ?
Im waiting your response , have a nice days.
Shortly What can do with that bugs ?
User (For example Me) ;
1- can see other users friends
2-** can see other users messages
** User can see see crpyted data (message) and others date, userid,nxtid , read , created etc information
3- can see other users blocklists
4- can see other users notifications
5- can see other users conversations
6- can see other users activities
* can see user informations in group (nxtid , friends,messages,nofitications,conversations,activities)
7- can send message other users (but 'User i mean Me' must do message crpyto and nounce compatible with nxt ,after generate must do boundary )
8- can edit other users gender informations
9- can edit other users school informations
10- can edit other users text-size informations
11- can edit other users deviceid informations
12-can earn Free nxttycoins ; when user send post that variables
ATTACHMENT:
The Following Proofs Belongs Your Support Member "Seventy" or I can do want i.
Conversation Proof
[{"user":{"nxtAccountId":"15501279223453608459","nameAlias":"Blue Lantern","deletePlanId":0,"registrationDate":null,"avatar":"633b4bd5-fad5-4b82-b0b2-9a657cc72f7e-142810053116.jpg","city":null,"school":null,"status":null,"gender":":null,"deviceType":null},"lastMessage":{"id":4563,"senderId":"15845222869132144523","receiverId":"15501279223453608459","body":"{\"requestProcessingTime\":3,\"nonce\":\"cf8d9684620a490fd356131f350a6f664f921a01fc6bcbd72725abf8ee385152\",\"data\":\"5f5dff1f5265315ee400bf7fe49663640144eef6416d2a9d9f38777aaba6fb0a540f7e7eed92a58 fef16dcb5d44d2a05cb1326ae6eb600a88a165612d2ffc3907679972ce2cded11deaa744ec88f2f f41be04e782108e78b26300679bff98abfbe40e4938424b70a2e5ee120279952d92a64da2419c95 133e05091097c6aae6d4cb5d032a2cac38bc1e10b2bc0eadb9f\"}","createdDate":1415147492000,"read":false,"image":null,"seenDate":null}},
OUR RESPONSE:
On Tue, Nov 11, 2014 at 9:15 AM, wrote:
Are u able to decrypt the messages?
regards,
Nxtty
Crypto messaging for the masses.
HACKER'S RESPONSE:
-------- Original Message --------
Subject: Re: About Vultureabilites
From: Hacker e-mailed----removed
Date: Tue, November 11, 2014 7:30 am
To: development(at)nxtty.com
Nxt using AES algorithm for crypt. Also nxt have a message decrpyt api , for decrpyt need the following
secretPhrase
account
data
nonce
in that case we dont know secretPhrase that why i cant decrypt it.
But i think that system 1-2 year after will be destroy because ; there could be time a lot of crypted in future so ; in that time decrpyt will be easy .
Also ;
Other method bruteforce (with opencl) , i can scan 1x10^13 posibility in 1 hour , but for a message decrpyt ;
there is a (around) 10^60 / 10^13 lucky , and that posibility = for one hour. but as i told the it will be too easy in future .
UNQUOTE:
So although the hacker was able to obtain all messages of a particular user he is NOT ABLE TO READ THOSE MESSAGES.
We paid a sizable bounty to the security hacker for his effort, all bugs mentioned above will all be nullified in either update 1.0.3 & 1.0.4.
We invite any hackers to have a good look at our app and try to break it, we will reward you for the effort.