Security flaws in Freedom Chat app exposed users’ phone numbers and PINs

Security Flaws in Freedom Chat App Exposed Users’ Phone Numbers and PINs

Messaging app Freedom Chat has fixed a pair of significant security flaws that compromised the privacy of its users. The vulnerabilities, discovered by security researcher Eric Daigle, allowed attackers to guess registered users’ phone numbers and exposed user-set PINs to others on the app. This is a concerning issue, especially since Freedom Chat claims to be a secure messaging app that keeps users’ phone numbers private.

Vulnerabilities and Exploitation

Daigle found that Freedom Chat’s servers allowed anyone to flood them with millions of phone number guesses to determine if a user’s phone number was stored on the servers. This technique is similar to one described by the University of Vienna in research last month, where academics scraped data on some 3.5 billion user accounts who signed up to WhatsApp by matching billions of phone numbers against WhatsApp’s servers. Daigle was able to enumerate the phone numbers of close to 2,000 users who had signed up to use Freedom Chat since it launched.

Furthermore, Daigle discovered that Freedom Chat was leaking users’ PIN codes. Using an open-source network traffic inspection tool, he saw that the app would respond with the PIN codes of every other user in the same public channel — even if the PINs weren’t visible to users within the app itself. This meant that anyone who was in the default Freedom Chat channel, which users are automatically subscribed to when they first sign up, had their PIN broadcast to everyone else in the channel.

Response and Resolution

Freedom Chat founder Tanner Haas confirmed that the app has now reset user PINs and released a new version to address the security flaws. Haas also stated that the company is removing instances where users’ phone numbers were occasionally visible and has increased rate-limiting on its servers to prevent mass-guess attempts. In an app store update, Freedom Chat noted that a critical reset was necessary due to a backend update that inadvertently exposed user PINs in a system response.

It’s worth noting that this is not the first time a messaging app from Haas has faced security issues. His previous app, Converso, was delisted from app stores following the disclosure of security flaws that exposed users’ private messages and content. The recent vulnerabilities in Freedom Chat highlight the importance of robust security measures and transparency in messaging apps.

For more information on the security flaws in Freedom Chat, read the full article Here.