Messaging app Freedom Chat has fixed two security flaws. One allowed security researchers to guess registered users' phone numbers, and the other allowed users to set a PIN and make it available to other users on the app.
Released in June, Freedom Chat advertises itself as a secure messaging app, and its website claims that users' phone numbers are kept private.
However, security researcher Eric Daigle told TechCrunch that the user's phone number and PIN code used to lock the app could be easily obtained by exploiting the vulnerability.
Daigle discovered the vulnerability last week and shared its details with TechCrunch, as Freedom Chat does not offer a public means to report security flaws like a vulnerability disclosure program. TechCrunch later alerted Freedom Chat founder Tanner Haas about the security flaw in an email.
Haas confirmed to TechCrunch that the app reset user PINs and released a new version. Haas added that the company is removing instances where a user's phone number is occasionally displayed and is gradually tightening rate limits on its servers to prevent mass guessing attempts.
Daigle, who published his findings in a blog post, told TechCrunch that he was able to list the phone numbers of nearly 2,000 users who have signed up to use Freedom Chat since its launch. Daigle said Freedom Chat's servers allowed anyone to submit millions of phone number guesses in order to determine if a user's phone number was stored on the server.
Daigle said the technique is identical to one published in a study last month by the University of Vienna, in which academics collected data on the roughly 3.5 billion user accounts who signed up for WhatsApp by matching billions of phone numbers with WhatsApp's servers.
Daigle also discovered that Freedom Chat was leaking users' PIN codes. Using open-source network traffic inspection tools to analyze data flowing into and out of the app, Daigle found that the app responded with the PIN code of every other user in the same public channel, even if the PIN was not visible to the user within the app itself.
According to Daigle, anyone who joined the default Freedom Chat channel, which users are automatically subscribed to when they first sign up, had their PIN broadcast to everyone else in the channel. Daigle told TechCrunch that knowing a person's PIN could allow them to open apps from the user's stolen device.
In an app store update published on Sunday, Freedom Chat said, “Critical reset: A recent backend update inadvertently exposed a user's PIN in a system response. At no time were their messages ever compromised. And because Freedom Chat does not support linked devices, they were unable to access their conversations. However, we have reset the PIN for all users to ensure the safety of their accounts. Your privacy remains our top priority.”
Freedom Chat is Haas' second messaging app, following Converso, which was removed from the app store following the disclosure of security flaws that exposed users' private messages and content.