In February of this year, security researchers at ETH Zürich notified us that they had found three security issues in the Briar app. Two of these issues were fixed in version 1.4.22 of Briar, which was released in February. The third issue was fixed in version 1.5.3, which is being released today. All users are encouraged to upgrade to version 1.5.3 of the app as soon as possible.
We would like to apologise for the design and implementation mistakes that led to these issues, and to thank Yuanming Song and Prof. Kenny Paterson for finding the issues and responsibly disclosing them to us.
We have requested an independent security audit of Briar’s protocol stack to ensure that no other issues remain undiscovered.
For those who are interested in the details, a description of each issue is given below. The researchers’ report can be found here.
The first issue (fixed in Briar 1.4.22) would have allowed a malicious user to prevent their contacts from using Briar by repeatedly sending them invalid messages that would cause the app to exit.