CVE-2023-33981

Vulnerability

Briar versions before 1.4.22 contain a message duplication flaw in blogs, forums, and private groups [1]. The vulnerability allows a malicious user to create exact duplicates of messages written by other users. The duplicate messages have the same content and timestamps as the originals but appear as separate messages alongside the legitimate ones, effectively spoofing the original authors [1].

Exploitation

An attacker must be a member of the same blog, forum, or private group as the target user [1]. No special privileges beyond group membership are required. The attacker can duplicate any legitimate message visible to them; the spoofed message must be an exact copy of an existing message from that author [1]. The attacker does not need to forge signatures or break encryption because the duplication occurs at the application level.

Impact

A successful attack enables the attacker to spoof other users' messages, making it appear as though the target user posted the same content again [1]. This can lead to confusion, misattribution, or reputational harm within the group. The vulnerability does not allow arbitrary content creation or message modification—only exact duplication of existing messages. No information disclosure, privilege escalation, or remote code execution is achieved.

Mitigation

The issue is fixed in Briar version 1.4.22, released in February 2023 [1]. Users are encouraged to upgrade to version 1.5.3 (released later) to also address a separate issue. No workarounds are available for unpatched versions. The vulnerability has not been reported as exploited in the wild [1].