Skip to content
  1. Aug 18, 2023
  3. Aug 17, 2023
    • Daniel Gultsch's avatar
      Security: Introduce backup file format v2 · 09f6343c
      Daniel Gultsch authored 
      This switches the SQL based backup format to something JSON based.

The SQL based format has always been prone to SQL injections that, for example, could delete other messages or preexisting accounts in the app. This hasn’t been a concern this far because why would anyone purposely try to restore a faulty backup? However the argument has been made that a user can be socially engineered to restore an exploited backup file.
Before version 2.12.8 a third party app could even trigger the restore process, leaving the backup password entry dialog the only hurdle.
On top of that it has been demonstrated that a backup file can be crafted in a way that puts preexisting credentials into a 'pending' message to an attacker ultimately leading to that information being leaked.

While destorying information has always been deemed an acceptable risk, leaking information is one step too far.

Starting with Conversations 2.12.9 Conversations will no longer be able to read v1 backup files. This means if you are restoring on a new device and you have a v1 backup file you must first install Conversations <= 2.12.8, restore the backup, and then upgrade to Conversations >= 2.12.9.

ceb2txt¹ has support for v2 backup files. Conceivably ceb2txt could be extended to convert between v1 and v2 file formats. (ceb2txt already recreates the database from v1 files; It is relatively straight forward to create v2 files from that database. Pull requests welcome.)

¹: https://github.com/iNPUTmice/ceb2txt/
      09f6343c
  5. Aug 16, 2023
  7. Aug 13, 2023
  9. Aug 12, 2023
  11. Aug 09, 2023
  13. Aug 08, 2023
  15. Aug 05, 2023
  17. Aug 04, 2023
  19. Jul 27, 2023
  21. Jul 25, 2023
  23. Jul 14, 2023
  25. Jul 13, 2023
  27. Jul 05, 2023
  29. Jul 04, 2023
  31. Jul 03, 2023
  33. Jul 02, 2023
  35. Jun 29, 2023
  37. Jun 27, 2023
  39. Jun 26, 2023
  41. Jun 25, 2023
  43. Jun 23, 2023