Messaging app Freedom Chat has fixed a pair of security flaws: one that allowed a security researcher to guess the phone numbers of registered users and another that exposed user-set PINs to others on the app.
Freedom Chat, launched in June, bills itself as a secure messaging app and claims on its website that users’ phone numbers remain private.
However, security researcher Eric Daigle told TechCrunch that users’ phone numbers and PINs, used to lock the app, could be easily obtained by exploiting vulnerabilities.
Daigle found the vulnerabilities last week and shared their details with TechCrunch, as Freedom Chat does not provide a public way to report security flaws, such as a vulnerability disclosure program. TechCrunch then notified Freedom Chat founder Tanner Haas of the security flaws via email.
Haas confirmed to TechCrunch that the app has now reset users’ PINs and released a new version. Haas added that the company is removing cases where users’ phone numbers were occasionally visible and has rate-capped its servers to prevent mass guessing attempts.
Daigle, who published his findings in a blog posttold TechCrunch that it was able to list the phone numbers of nearly 2,000 users who had signed up to use Freedom Chat since it launched. Daigle said Freedom Chat’s servers allowed anyone to flood it with millions of phone number guesses to determine whether a user’s phone number was stored on the servers.
According to Daigle, this technique is identical to one described by the University of Vienna in an investigation last month, where academics scratched data on approximately 3.5 billion user accounts registered on WhatsApp by matching billions of phone numbers with WhatsApp servers.
Daigle also found that Freedom Chat leaked users’ PINs. Using an open-source network traffic inspection tool to analyze data coming in and out of the app, Daigle saw that the app would respond with the PINs of every other user on the same public channel — even if the PINs weren’t visible to users within the app itself.
According to Daigle, anyone who was in the default Freedom Chat channel, which users are automatically subscribed to when they first sign up, had their PIN broadcast to everyone else in the channel. Daigle told TechCrunch that knowing a person’s PIN could allow someone to open the app from a user’s stolen device.
In an app store update posted Sunday, Freedom Chat noted: “A critical reset: A recent support update inadvertently exposed user PINs in a system response. Messages were never compromised, and because Freedom Chat doesn’t support connected devices, your chats were never accessible. However, we reset all user PINs to ensure your account remains secure.”
Freedom Chat is Haas’ second messaging app, after Converso, to be pulled from app stores after the revelation security flaws that exposed users’ private messages and content.
