- Freedom Chat exposed user phone numbers and PIN codes due to two major security flaws
- A misconfigured server let attackers brute‑force phone numbers, while a second bug leaked PINs to everyone in a default public channel
- After media escalation, the company patched the issues and forcibly reset all user PINs
Messaging app Freedom Chat reportedly carried two major security vulnerabilities which allowed malicious actors to expose user phone numbers and PIN codes, experts have reported.
Security researcher Eric Daigle rebealed Freedom Chat suffered from the same misconfiguration as WhatsApp, when it exposed phone numbers of 3.5 billion users.
The app’s servers allow anyone to try and guess user phone numbers indefinitely, to see if they’ll get a match.
Resetting PINs
The second bug leaked people’s PIN codes. Daigle said he used an open source network traffic inspection tool to analyze the data moving through the app, and found that the app would respond with the PIN code of every user in the same public channel, even if the app users couldn’t see the codes.
Daigle claims that anyone subscribed to the default Freedom Chat channel had their PIN broadcast to everyone else. Unfortunately enough, everyone who signs up is automatically subscribed to this channel, meaning if someone got ahold of their device, they could easily unlock the app.
To make matters worse, if we assume people use the same PIN code across multiple services, this could put other apps and tools at risk, as well, including credit cards, crypto wallets, and social media accounts.
Fortunately, unlike WhatsApp, who counts its users in the billions, Freedom Chat is a newly released app which has roughly 2,000 users.
Daigle tried reaching out to Freedom Chat but since there is no official way to report bugs, he was unable to get the company’s attention. However TechCrunch succeeded by reaching out directly to founder Tanner Haas – who later confirmed the company released a new version and reset everyone’s PINs.
“A critical reset: A recent backend update inadvertently exposed user PINs in a system response,” the company said on its app store update page.
“No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/KnYDAbJHaMmzm6ExTCgKLb-1920-80.jpg
Source link
