gnh1201/kakaotalk_analysis
1
0
Fork 0
mirror of https://github.com/stulle123/kakaotalk_analysis.git synced 2025-05-07 12:06:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Create SECRET_CHAT.md

Browse Source
This commit is contained in:
stulle123 2023-12-12 15:33:59 +01:00
parent d3e1c8da61
commit 013ffbdbd4
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
SECRET_CHAT.md Normal file
View File

@ -0,0 +1,30 @@
# Secret Chat
E2E is opt-in only. Most people probably dont use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`.
Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
MITM PoC:
- Sender's RSA public key pair in `TalkKeyStore.preferences.xml`
- Receiver's public keys in `KakaoTalk.db`
- PoC how-to:
- Delete all public keys from `KakaoTalk.db` database
- Start mitmproxy and Frida script
- Create new Secret Chat room
- `GETLPK` packet gets intercepted -> Maybe we don't need that?
- `SCREATE` packet gets intercepted (shouldn't include a shared secret, otherwise we remove it)
- Bad signature check of MITM public key doesn't seem to have any implications
- Sender sends a `SETSK` packet (mitmproxy grabs shared secret)
- Dump `SWRITE` packets
Questions:
- How to attack an already existing E2E chat room?
- How to fix maldformed `SCREATE` packets?
- Check public key fingerprints if they have changed
- Test CFB bit flipping
- Test Secret Chat interception with `mitmproxy` script
* Use value from `pt` field to compute the nonce
* Does a warning pop up?
* What about the master secret?