CVE-2024-36289
📋 TL;DR
This vulnerability in FreeFrom - the nostr client allows man-in-the-middle attackers to manipulate direct message content when users reuse nonces and key pairs in encryption. It affects Android and iOS users running versions prior to 1.3.5. Attackers could potentially alter DM content without detection.
💻 Affected Systems
- FreeFrom - the nostr client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate sensitive direct message content, potentially leading to misinformation, social engineering attacks, or manipulation of private communications between users.
Likely Case
In real-world scenarios, attackers on the same network could intercept and modify direct messages between users, potentially altering the meaning of conversations or inserting malicious content.
If Mitigated
With proper encryption key management and nonce usage, direct messages remain confidential and tamper-proof between intended parties.
🎯 Exploit Status
Exploitation requires man-in-the-middle position and knowledge of the encryption flaw. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5
Vendor Advisory: https://jvn.jp/en/jp/JVN55045256/
Restart Required: Yes
Instructions:
1. Open Google Play Store or Apple App Store. 2. Search for 'FreeFrom - the nostr client'. 3. Check if update to version 1.3.5 is available. 4. Tap 'Update' to install the patched version. 5. Restart the application after update completes.
🔧 Temporary Workarounds
Avoid untrusted networks
allPrevent man-in-the-middle attacks by avoiding public Wi-Fi and untrusted networks when using the app.
Use VPN
allEmploy a reputable VPN service to encrypt network traffic and prevent interception.
🧯 If You Can't Patch
- Discontinue use of direct messaging feature in the app until patched
- Use alternative secure messaging platforms for sensitive communications
🔍 How to Verify
Check if Vulnerable:
Check app version in settings: Android: Settings > Apps > FreeFrom > App info. iOS: Settings > General > iPhone Storage > FreeFrom.Check Version:
Not applicable - check via app store or device settingsVerify Fix Applied:
Confirm app version is 1.3.5 or higher in app settings or app store listing.📡 Detection & Monitoring
Log Indicators:
- Unusual network activity patterns
- Failed encryption handshakes
- Unexpected message modification alerts
Network Indicators:
- Man-in-the-middle attack patterns
- Unusual traffic interception on port 443/HTTPS
- SSL/TLS anomalies
SIEM Query:
Not specifically applicable for mobile app vulnerability🔗 References
- https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930
- https://freefrom.space/
- https://jvn.jp/en/jp/JVN55045256/
- https://play.google.com/store/apps/details?id=com.freefrom
- https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930
- https://freefrom.space/
- https://jvn.jp/en/jp/JVN55045256/
- https://play.google.com/store/apps/details?id=com.freefrom
