Ron Amédéo
It turns out that companies that block media security questions are actually not good at security. Last Tuesday, Nothing Chats, a chat app from Android maker “Nothing” and new app company Sunbird, brazenly claimed to be able to hack Apple’s iMessage protocol and give Android users blue bubbles . We immediately reported to Sunbird a company that had been making empty promises for almost a year and appeared to be negligent when it came to security. The app launched on Friday anyway and was immediately torn to shreds by the Internet for numerous security issues. It didn’t last 24 hours before Nothing pulled the app from the Play Store on Saturday morning. The Sunbird app, of which Nothing Chat is just a reskin, has also been “paused.”
This app’s initial sales pitch – that it would log you into iMessage on Android if you handed over your Apple username and password – was a huge security red flag that meant Sunbird would have need ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be as insecure as possible. Here is Nothing’s statement:
Nothing Chat message is closed.
How serious are the security issues? 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) discovered extremely poor security practices. Not only was the application not end-to-end encrypted, as Nothing and Sunbird repeatedly claimed, but Sunbird recorded and stored messages in plain text on Sentry error reporting software. And in a Firebase store. The authentication tokens were sent over unencrypted HTTP so this token can be intercepted and used to read your messages.
The Text.com investigation discovered a bunch of vulnerabilities. The blog states: “When a message or attachment is received by a user, they are unencrypted on the server side until the client sends a request to acknowledge receipt and delete them from the database. This means that an attacker has subscribed to the Firebase Realtime database. will still be able to access messages before or as they are read by the user.” Text.com was able to intercept an authentication token sent over unencrypted HTTP and subscribe to changes made to the database. This meant live updates of “incoming messages, outgoing messages, account changes, etc.” not only from themselves, but also from other users.
Text.com has released a proof-of-concept application that can retrieve your supposedly end-to-end encrypted messages from Sunbird’s servers. Batuhan Içöz, product engineer for Text.com, has also released a tool that will remove some of your data from Sunbird’s servers. Içöz recommends that all Sunbird/Nothing Chat users change their Apple ID now, revoke the Sunbird session, and “assume your data is already compromised.”
9to5Google Dylan Roussel investigated the app and found that in addition to all public text data, “All documents (images, videos, audios, PDFs, vCards…) sent via Nothing Chat AND Sunbird are public.” Roussel discovered that 630,000 media files are currently stored by Sunbird and could apparently access them. Sunbird’s app suggests users transfer vCards (virtual business cards filled with contact data) and Roussel claims the personal information of more than 2,300 users is accessible. Roussel calls the fiasco “probably the biggest ‘privacy nightmare’ I’ve seen from a phone maker in years.”
Gn En tech