News

In Librem One service is found critical vulnerability right the day when it was launched

In Librem One service that targeted for usage in Librem 5 smartphone, just after the release raised critical safety issue.

This issue can compromise project that Purism company promotes as protected platform for ensuring privacy.

“We are super excited about our Librem One launch, if you can’t tell, but to make things even more exciting, we also have hit a different milestone with the service: our first security bug!”, – wrote Kyle Rankin chief security officer of Purism company.

Vulnerability is found in Librem Chat and allows entering chat under name of any user without knowing authentication parameters.

In the used backend authorization code through LDAP (matrix-appservice-ldap3) for Matrix network was made an error that was later transited in code of working Librem One service.

Instead of the line “result, _ = yield self._ldap_simple_bind” was written “result = yield self._ldap_simple_bind“, that enabled any user enter chat without authentication.

Developers from Matrix project that were responsible for the error argue, that issue raised only in master-branch “matrix-appservice-ldap3” but not in releases, but in repository problematic line was present since 2016 (conditions for its exploitation were created only with some recent changes).

Pursim company that is famous for development of Librem line of devices with Linux-distributive PureOS, only few days ago launched united subscription Librem One that opens access to all company’s services, similarly to Google and Amazone Prime. As consider in Purism, users pay for popular free services (as Google and Facebook) with their personal data.

Librem 5 Linux Smartphone

Company also offers monthly or weekly payment plans for its services – naturally, client’s confidentiality is guaranteed. On all services, except for Librem Social, is used end-to-end coding.

Company’s services also include Librem Chat messenger, Librem Social, created on the base of Mastodon social network, VPN-service Librem Tunnel and mailing box Librem Mail. Later Purism will pen to subscribers cloud storages Librem Files and Librem Backup, service of contacts’ synchronization Librem Contacts etc.

Users can have free access to Librem Chat and Librem Social. Monthly subscription on all services costs $7,99 and annual – $71,91. There is option of family subscription for five person: $14,99 per month and $134,91 per year.

Naturally, after finding critical vulnerability in Librem One service right at the day it was launched that endangers all users’ data, there are big doubts about the project.

Nevertheless, Kyle Rankin, chief security officer of Purism argues that:

Kyle Rankin, Purism

“First it’s important to discuss what this bug didn’t impact. All other Librem One services including Tunnel, Mail, and Social were not impacted by this bug. It was an authentication bug specifically with the Librem Chat service. Fortunately this bug occurred early in the service launch before too many customers were using chat. We shut down chat immediately upon confirming the bug and the overall outage lasted about 30 minutes while we investigated and patched.”

Only time will should if Librem One is worth trust of its customers.

Source: https://puri.sm/posts/

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-bpudepi.today Pop-up Ads

About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove Doguhtam.xyz Pop-up Ads

About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…

2 days ago

Remove News-xlixoti.com Pop-up Ads

About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…

2 days ago

Remove Ducesousightion.com Pop-up Ads

About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…

2 days ago

Remove News-xlabica.live Pop-up Ads

About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove Mergechain.co.in Pop-up Ads

About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…

2 days ago