Key points: > A key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she’s who she claims to be. Instead, the app relies on a user ID that’s transmitted in plaintext to identify each person. Attackers can exploit this by sniffing the ID over the air and using it to spoof another user. > With no effective way to authenticate, any user can impersonate any other user, as long as an attacker has come into contact with that user (either one-on-one or in network-wide broadcast messages) at least once. With that, the attacker can pose as a trusted contact and trick a person into revealing personal names or other confidential information, or take harmful actions. The lack of authentication can also give rise to eavesdropping or tampering of messages. > There’s a separate way to read encrypted messages, thanks to another major Bridgefy flaw: its use of PKCS #1, an outdated way of encoding and formatting messages so that they can be encrypted with the RSA cryptographic algorithm. This encoding method, which was deprecated in 1998, allows attackers to perform what's known as a padding oracle attack to derive contents of an encrypted message. > An adversary can also track individual users’ movements in a crowd by building a rough topology of the network as it evolves in real time. This attack is possible because Bridgefy sends three receipts when a message is received: a “mesh reach” in cleartext, an encrypted “delivery” receipt, and an encrypted “viewed” receipt. The technique works because users who are further away from each other will experience a longer delay between a message and its receipts. Link: https://arstechnica.com/features/2020/08/bridgefy-the-app-promoted-for-mass-protests-is-a-privacy-disaster/