Today’s article comes to us from Interwebs Security correspondent Tyler L. Jones. It is his first appearance in the Cryptosphere.
WikiLeaks is at it again.
This time, in an effort to provide a method of secure communication between themselves and whistleblowers, they have developed what they claim is a secure chat system that anyone can connect to; upon connecting, you will begin a near-immediate conversation with a staff member at WikiLeaks. Today, I tried this new service out. The results were both interesting and hilarious; but, we’ll get to all of that in due time.
Here’s the Facebook announcement that started this adventure.
Immediately upon connecting to their secured chat service, I was met with the following message: “Welcome to our chat system. Someone will shortly join the chat and talk with you. Clicking destroy chat will entirely destroy this encrypted chat immediately. Closing the window will mean you can return to it for 30mins at the same url, after which point it will be destroyed. REMEMBER: do not give any identifying information about yourself.”
Before I could finish reading the introductory message, the screen began to reload. I took a quick peek into the source code of the ‘Messages’ iframe [the actual chat box] and found that they had it set to a five second refresh time. No big deal; I finished reading the message and waited patiently to be connected with one of their staff members. At this point, I noticed that the username which WikiLeaks had auto-generated for me was: EvelynMurphy7.
At this point, I had to do a double-take. The irony of this username was that I had followed a URL from Lorraine Murphy (Raincoaster), and, without immediately catching on to the randomization of the usernames, I thought that the link I followed may have been her own private (not yet ended) chat with WikiLeaks.
Having still not caught on to the randomization of the usernames, and due to the irony of coincidentally getting a username with Murphy as a part of it, after following a link from Lorraine Murphy, I closed out of the chat. I immediately took to Facebook messenger to let Lorraine know what had just occurred, but as I was typing I decided that I would click through WikiLeaks’ own website directly and access the chat myself. This time through, I got the username: WilliamStewart57. Lorraine and I had, at this time, already had a good laugh about the previous username.
After connecting the second time and waiting patiently for a few more moments, a message from KatherineStewart34 flashed across my monitor: “hi,” the Wikileaks staff member said. Immediately, KatherineStewart34 and I began discussing the new chat system. My first inquiry involved the development of the messaging system. The WikiLeaks representative wouldn’t say much, but did note that the secure chat system was developed entirely in-house by WikiLeaks; it was also noted that the chat was hosted on WikiLeak’s own servers. KatherineStewart34 went on to further reassure me that the communications were entirely secure.
After a few minutes of discussing the system, I decided I would push my luck and inquire more specifically about the security and encryption that was being utilized. I was met with no comment to this, and when I repeated the question KatherineStewart34 merely informed me that WikiLeaks would not discuss any of that information publicly.
This was the response that I had originally assumed that I would get, so I wasn’t extremely disappointed with it. Still, that leaves us with the gentle reminder to never trust any system, even if it is developed in-house and hosted on the provider’s own personal servers. With no other feature to play with in their chat system, I thanked KatherineStewart34 for their time, and clicked the ‘Destroy Chat’ button. A simple 404 error flashed across the screen, indicating that the chat ID was no longer an active connection. Then, as quickly as the 404 error appeared, it disappeared and I was redirected to a bland exit page with the message: “Thanks for visiting. You should close this window now.”
Have you played around with the new chat system? Used it for any reason you’re willing to mention? Let us know in the comments below. But remember: take care of your privacy, and never assume that someone else is watching out for you. Their chat system might be secure, but that doesn’t mean you shouldn’t ensure your own security as well.
I’m Tyler Jones. I’m just a normal guy in an abnormal world; I’m also an Information Security fanatic. I am currently pursuing a Master’s of Science in Information Technology with a heavy concentration in Security. I’m a #MegaNerd, but I’m alright with that; it’s the age of the geek, after all. I hack things, or so I’ve been told. I study intelligence gathering techniques for a living. The Internet is my domain; welcome to my world. You won’t be able to hide here.