Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

Darren Pauli Tue 31 Jan 2017  //  03:35 UTC

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®
Send us news
44 Comments

Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain

Emergency comms standard had five nasty flaws but will be opened to academic research

EU lawmakers scolded for concealing identities of privacy-busting content-scanning 'experts'

Names of consultants on encryption bypass plan leaked anyway

UK may demand tech world tell it about upcoming security features

Campaigners say proposals to reform laws are 'dangerous' and an attack on safety

'Corrupt' cop jailed for tipping off pal to EncroChat dragnet

Taking selfie with 'official sensitive' doc wasn't smartest idea, either

Does Windows have a very weak password lurking in its crypto libraries?

Don't panic – it's just for testing

Europe mulls open sourcing TETRA emergency services' encryption algorithms

Turns out secrecy doesn't breed security

ROBOT crypto attack on RSA is back as Marvin arrives

More precise timing tests find many implementations vulnerable

Signal adopts new alphabet jumble to protect chats from quantum computers

X3DH readied for retirement as PQXDH is rolled out

UK admits 'spy clause' can't be used for scanning encrypted chat – it's not 'feasible'

But don't celebrate yet ... it has simply kicked the online safety can down the road, Westminster style

Good news for Key Group ransomware victims: Free decryptor out now

That's what we call a static shock

Cops drill into chat apps, sink plot to smuggle tonnes of coke into Europe

Big blow to blighters' blow-by-the-boatload blueprint

TETRA radio comms used by emergency heroes easily cracked, say experts

If it looks like a backdoor, walks like a backdoor, maybe it's ... export control