Messaging app Freedom Chat has addressed two security vulnerabilities: one that allowed a security researcher to deduce users’ phone numbers and another that revealed user-set PINs to other app users.
Launched in June, Freedom Chat markets itself as a safe messaging platform, stating on its website that users’ phone numbers remain confidential.
Security researcher Eric Daigle informed TechCrunch that it was easy to access users’ phone numbers and PIN codes, which are intended for app security, by taking advantage of certain weaknesses.
Last week, Daigle identified these vulnerabilities and shared his findings with TechCrunch, noting that Freedom Chat lacks a public method for reporting security issues, such as a vulnerability disclosure program. TechCrunch subsequently alerted Freedom Chat founder Tanner Haas via email.
Haas confirmed to TechCrunch that the app has reset user PINs and released an updated version. He mentioned that the company is working to eliminate instances where users’ phone numbers were occasionally visible and has implemented rate-limiting on its servers to prevent mass guessing attacks.
Daigle, who documented his findings in a blog post, indicated that it was possible to guess the phone numbers of nearly 2,000 users who had signed up for Freedom Chat since its launch. He noted that the app’s servers permitted anyone to bombard them with millions of phone number guesses to see if a user’s phone number was registered.
Daigle stated that this method was similar to one highlighted by the University of Vienna last month, where researchers scraped data from approximately 3.5 billion accounts that signed up for WhatsApp by matching numerous phone numbers against WhatsApp’s servers.
Additionally, Daigle discovered that Freedom Chat was unintentionally leaking user PIN codes. By utilizing an open-source network traffic inspection tool to analyze the data exchanged by the app, Daigle observed that the app would reveal the PIN codes of other users within the same public channel, even if those PINs weren’t visible in the app.
He explained that any user in the default Freedom Chat channel, which is the default subscription for new users, had their PIN displayed to all other members of that channel. Daigle noted that if someone obtained another user’s PIN, it could allow access to the app from a compromised device.
In an app store update published on Sunday, Freedom Chat stated: “A critical reset: A recent backend update inadvertently exposed user PINs in a system response. No messages were ever at risk, and since Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority.”
This marks Haas’ second messaging app venture, following Converso, which was removed from app stores after security flaws were revealed that compromised users’ private messages and content.
