Freedom Chat App Exposed Users’ Phone Numbers and PINs
▼ Summary
– Freedom Chat, a secure messaging app, fixed two security flaws that exposed user phone numbers and PIN codes.
– A researcher found the app’s servers allowed mass guessing of phone numbers, potentially exposing nearly 2,000 users.
– The app also leaked user PIN codes in network data, broadcasting them to others in the same public channel.
– The founder confirmed fixes, including resetting all PINs and improving server protections to prevent guessing attacks.
– This is the founder’s second messaging app with security issues, following Converso, which was delisted for similar flaws.
A recently launched messaging application, which markets itself on protecting user privacy, has addressed two significant security vulnerabilities. These flaws allowed a researcher to potentially identify the phone numbers of registered users and also exposed the personal identification numbers (PINs) that individuals set to lock the app. The discovery raises serious questions about the platform’s commitment to its stated security promises.
Security researcher Eric Daigle identified the weaknesses last week. He found that Freedom Chat’s servers did not properly limit the number of guesses an attacker could make. This meant someone could systematically test millions of phone numbers to determine which ones were associated with active accounts on the service. Daigle estimated this method could have enumerated the numbers of nearly two thousand users who had signed up since the app’s June release. This technique mirrors a method recently documented by academics at the University of Vienna, who used a similar approach to scrape data from WhatsApp’s servers.
In a separate but equally concerning finding, Daigle discovered that the app was leaking user PIN codes. By using a common network analysis tool to inspect data traffic, he observed that the application would send the PINs of all other users in a public channel within its server responses. This occurred even though the PINs were not displayed within the app’s own interface. The issue was particularly acute in the default public channel, where every new user is automatically placed. Anyone in that channel could have their four-digit lock code broadcast to every other participant. Knowledge of this PIN could potentially allow someone with physical access to a user’s device to unlock the application.
Daigle shared his findings with TechCrunch, as Freedom Chat does not maintain a public vulnerability disclosure program for security researchers to report issues. The publication then contacted the app’s founder, Tanner Haas. In response, Haas confirmed that the company has taken corrective actions. He stated that all user PINs have been reset and a new version of the app has been released. The company is also working to remove any instances where phone numbers were visible and has increased server-side rate-limiting to prevent mass guessing attempts.
In an update posted to app stores, Freedom Chat acknowledged a “critical reset” due to a backend update that “inadvertently exposed user PINs in a system response.” The note assured users that no messages were at risk and that, because the app does not support linked devices, conversations were never accessible. The company emphasized that user privacy remains its “top priority.” This incident marks the second time a messaging app from founder Tanner Haas has faced security issues; his previous app, Converso, was removed from app stores after flaws were disclosed that exposed users’ private messages and content.
(Source: TechCrunch)
