So one could have replace a JS file with one fetched from attacker controlled server for any site behind Akamai like LastPass or PayPal.
That JS could have exfiltrated all the secrets from these sites on the client side (post decryption) or replace account numbers with their own on behalf of the user.
SimpleX Chat is **the first messaging platform that has no user identifiers**, not even random numbers. The messages are e2e encrypted, and the servers and network observers cannot see users' contacts or groups. You can use the servers pre-configured in the apps or [host your own](https://github.com/simplex-chat/simplexmq#deploy-smp-server-on-linux).
## What's new in v4:
* local database encryption with passphrase.
* improved stability of chat groups, file transfers and message delivery.
* you can now use your own WebRTC ICE servers for audio-video calls.
* German language in the interface.
* TypeScript SDK for SimpleX Chat integrations.
See full [release announcement](https://github.com/simplex-chat/simplex-chat/blob/stable/blog/20220928-simplex-chat-v4-encrypted-database.md) for more details.
Download the apps via the links in the GitHub repo: [https://github.com/simplex-chat/simplex-chat#readme](https://github.com/simplex-chat/simplex-chat#readme).
Also, they are hosting **the event on Discord on October 6**, at 6pm UK / 10am PT - the same day when they kick off independent implementation audit - you can join via [this link](https://discord.gg/xmY76gCz?event=1024632780023402506) to:
* learn how SimpleX Chat is different and why it provides better meta-data privacy than alternatives,
* hear about future platform development plans,
* ask any questions,
* criticize what we do,
* suggest improvements.
Once you install the app you can choose "Connect to developers" to ask any questions, suggest new features and to join the group of users.
## About SimpleX Platform
Some links to answer the most common questions:
[How can SimpleX deliver messages without user identifiers](https://github.com/simplex-chat/simplex-chat/blob/stable/blog/20220511-simplex-chat-v2-images-files.md#the-first-messaging-platform-without-user-identifiers).
[What are the risks to have identifiers assigned to the users](https://github.com/simplex-chat/simplex-chat/blob/stable/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.md#why-having-users-identifiers-is-bad-for-the-users).
[Technical details and limitations](https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#privacy-technical-details-and-limitations).
[How SimpleX is different from Session, Matrix, Signal, etc.](https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions).
Something I found really interesting was that a lot of the techniques resembled modern code injection, where user input was being mistakenly interpreted as a control signal from the system itself, kind of like forgetting to escape your SQL statements.
First question right off the bat for anyone concerned: Lastpass *claims* that master passwords and encrypted user data was never compromised. See: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
There was a version number at the very bottom, and a link to how to maintain versioned documents. There was the mention of opening PDFs in browsers or with some apps that sandbox the PDF. They were like a hacker collective or a couple of hackers. I *believe* they were dutch, but this could be wrong.
*... TikTok iOS **subscribes to every keystroke (text inputs)** happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data ...*
*... Instagram iOS **subscribes to every tap on any button, link, image or other component** on external websites rendered inside the Instagram app ...*
> It sounds like something out of an urban legend: Some Windows XP-era laptops using 5400 RPM spinning hard drives can allegedly be forced to crash when exposed to Janet Jackson's 1989 hit "Rhythm Nation."
>But Microsoft Software Engineer Raymond Chen stands by the story in a blog post published earlier this week, and the vulnerability has been issued an official CVE ID by The Mitre Corporation, lending it more credibility.
cross-posted from: https://lemmy.ml/post/427359
> [Sci-Hub link.](https://sci-hub.se/10.1080/01611190600632457)
> This is an interesting read. I didn't even know that East Germany had encryption machines.