Warning
Before we start, this is not an attempt of defamation or the act of public shaming, we are only focusing on safety of spiking "discord refugees" which is why we decided to write our concerns about Kloak.
To begin with, recently we found out that the developers of this site were "scamming" their users by vibe coding almost the entire platform stack and are taking YOUR donations for granted!
For context, here's some info we found so far:
Scraping through the site itself we managed to find proof of this website's homepage being built using an AI tool called Lovable.
Lovable is apparently not only used to create websites but also apps, which could theoretically mean they vibe-coded Kloak backend aswell.
Screenshot of site code for reference:
I went ahead and personally asked the owner himself to which he replied:
I refuse to believe they haven't used AI for backend as we found more traces of AI inside the core javascript of the webapp:
Not to mention we also noticed the obsessive amount of comments inside which could hurt overall performance, e.g.
Now I do respect his honesty, but it doesn't really make the situation better due to what's coming next.
Not even 15 minutes of looking through sources of their webapp, we already found a high severity vulnerability that exposes their server database which also has the potential of revealing users' auth key hashes in the process.
Code we ran to obtain data from the database:
Output:
(this is now patched as i've submitted it beforehand)
How did this happen? Their public database wasn't:
- encrypted
- secured with row level security
(bare minimum requirements for a chatting app!)
Their supabase's misconfigured RLS is exactly what allowed me to do a partial mass user enumeration attack in the first place.
This is what concerns me the most about this platform!
The current account registration system relies entirely on a single randomly generated authentication key that stays hashed somewhere in their database.
If those hashes were to appear in a data breach - which is likely to happen considering their awful practices, it means exploiters could take advantage and decrypt them.
This sucks because them not providing any sort of recovery methods or validity checks for their users means that an account with a compromised key is an account with doors wide open!
Furthermore, length of that key being 64 by today's standards is considered to be somewhat risky, especially the more users join this platform while not having general safeguards.
Considering their official motto is "respecting user privacy", instead of their current authentication system, I would suggest a PGP based one instead.
Note
To avoid confusion, you don't really have to give out your real email address when making your own private PGP key, infact it's suggested you provide a fake one for scenarios like this so you can be less traceable.
Why? Few reasons:
- more user control
- if database leaks happen, you're still practically safe
Let's say someone wants to create a new account, the way i'd do it is by having server prompting the user their public PGP key and showing an encrypted code on the screen only the person having that private key can decode.
After inserting the decrypted code, the server would then proceed to validate the user.
This would be a far better alternative because if a public key is compromised, accessing the account isnt possible without the private one.
(unless session tokens are leaked aswell)
Now what about recovery? Simple, add basic but optional recovery options such via email or passkeys which would then give u the ability to change your public key.
I would also stick to their original motto and not include having a phone number as a recovery option for privacy reasons.
Just a few hours after talking to Jim about this whole fiasco, he decided to roll back Kloak servers in order to try and get rid of evidence of my DMs with him, without even warning the community!
Doing this caused damage to the platform because sent messages, servers and accounts made during that period just vanished.
Luckily i have saved some of our DMs as i was expecting my account to get banned because of this, yes really.
I dont have much to add except what i first sent him before i started writing this gist as i have already provided parts of our DMs above.
Later that day they were also apparently being DDoS-ed by a bunch of bots which resulted in server breakage.
At first i thought they had deleted my account due ongoing controversy, but it seems the site is just declining at this point.
Additionally, devs were recently being backlashed for literally replicating a somewhat popular discord server and claiming it as their own which is by itself a bit suspicious but not as serious.
Discord server:
Their replica:
The developer in question:
We all strongly suggest you moving over to fluxer.app, this is not an advertisement but rather a safer (and miles better) alternative we found.
In contrast, Fluxer is made by REAL people FOR people, its been in development for a long time now with actual effort, it still has a long way to go with a bunch of features already baked in, we recommend you read more about it here:
Adding on something about the team shadiness: I saw a message once in the official server from someone calling them out, which stated that they deleted his account and messages after he tried to notify them about a security vulnerability. That message was also deleted shortly after.