Impact
Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time.
The attacker would need to be able to run code on the same device, for example in a malicious app or browser extension or from another user account. App sandboxing offered little or no protection on mobile. Due to CORS restrictions websites could not perform the attack. Neither could other devices.
Once an attacker successfully guessed the whole token, they would have full access to the user’s Quiet account until the next time they shut down Quiet. (When Quiet is not running there is nothing to attack, and when Quiet reopens it has a fresh token.) The attacker can also get an invite link. Like any normal invite link, this could be used to access the community after the vulnerability was patched.
Because modern JavaScript engines process 16-32 bytes at once (“chunking”), which reduces information available to the attacker, and because a fresh token is generated on app restart, it is possible that the attack was only theoretical and not feasible. However, we cannot be sure of this.
Patches
The fix, which uses a constant-time comparison function from the cryptographic library libsodium to check the token, was released in Quiet 6.0.1. #2928
All prior desktop and mobile versions are affected, so all users should upgrade to the latest version, leave their current Quiet community, and create a new one.
References
We thank @eragon4rya and @JavaDerg for initially reporting the issue and @Ccocconut for calling our attention to it.
Reported: April 25, 2005
Issue: #2820 (comment) (see first screenshot)
Fix released: July 10, 2025
Disclosed: July 16, 2025
Impact
Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time.
The attacker would need to be able to run code on the same device, for example in a malicious app or browser extension or from another user account. App sandboxing offered little or no protection on mobile. Due to CORS restrictions websites could not perform the attack. Neither could other devices.
Once an attacker successfully guessed the whole token, they would have full access to the user’s Quiet account until the next time they shut down Quiet. (When Quiet is not running there is nothing to attack, and when Quiet reopens it has a fresh token.) The attacker can also get an invite link. Like any normal invite link, this could be used to access the community after the vulnerability was patched.
Because modern JavaScript engines process 16-32 bytes at once (“chunking”), which reduces information available to the attacker, and because a fresh token is generated on app restart, it is possible that the attack was only theoretical and not feasible. However, we cannot be sure of this.
Patches
The fix, which uses a constant-time comparison function from the cryptographic library libsodium to check the token, was released in Quiet 6.0.1. #2928
All prior desktop and mobile versions are affected, so all users should upgrade to the latest version, leave their current Quiet community, and create a new one.
References
We thank @eragon4rya and @JavaDerg for initially reporting the issue and @Ccocconut for calling our attention to it.
Reported: April 25, 2005
Issue: #2820 (comment) (see first screenshot)
Fix released: July 10, 2025
Disclosed: July 16, 2025