Pass on Puffchat, A Less Secure Snapchat

It’s telling enough when a private messenger is found to be leaking user information and the private messages it had promised to keep secure. But when a “secure” alternative to the private messenger has been found to be just as – if not more – risky, the jury is apparently still out on what a secure messaging app actually means.

And that’s where we are today, after the supposed ‘answer’ to hackable Snapchat, Puffchat, has also been found to be highly exploitable. The service, whose Twitter bio describes it as “the texting alternative to Snapchat – The evidence is gone forever,” contains several vulnerabilities, rendering it much less secure than it markets itself as and falsely representing itself.  

Security researcher Thomas Hedderwick documented the numerous flaws on his blog.  The biggest issue he found was that messages are never automatically deleted, but are just taken off your phone. Images stay at least temporarily on Puffchats servers, and anyone who knows an images URL could see it online. 

“You can clearly see the server knows the message has been read and yet it remains; it’s downloaded to your phone every time you make a request for your messages, the client just doesn’t show it to you… and yes, that includes the nude [sic] pics you’ve been sending to that account,” Hedderwick wrote.

“To top it all off, you can visit the pictures publicly and see via their site – nice! This is an incredible breach of privacy, and a blatant lie to their customers. It’s ‘secure’ but no SSL, it’s ‘secure’ but I can control your account remotely, it’s ‘secure’ but I can see your junk on the web by visiting a public page.”

The app asks new signups to provide their email, a password and their date of birth. Once registered, the app asks for access to your contacts and uploads them – via an insecure HTTP connection – onto their supposedly secure servers.

Puffchats Response

Puffchat CEO Michael Suppo responded to the accusations in a blog post, saying that the exploit had not been properly disclosed to the team.

“Last week, a security researcher posted information about our API. Unfortunately, the information was not emailed to any of our Puffchat administration accounts and was therefore not responsibly disclosed over the internet.” 

It seems Puffchat will be fixing Hedderwick’s findings, adding that “over the next few days we will be implementing more safeguards to make improvements to combat spam and abuse.”

Suppo also demanded that Hedderwick take down his post, claiming that he had not gone through the proper channels in reporting his findings. Hedderwick responded by telling Suppo to “honor his own privacy policy,” and had no intention of removing the post. Worse still for Suppo, his Twitter account has been hacked for over 24 hours at the time of this post. When another Twitter user asked how the hacker accessed the account, the hacker responsed: “SQLi, stored plaintext passwords and password reuse, all rolled into one. This guy really knows his insecurities.” Ouch.

The Race Is On For a Truly Secure Messenger App

In the wake of NSA revelations and discoveries of less-than-secure messaging apps, a host of private, secure, anti-snooping apps (or those pretending to be) have popped up. One of the tweets sent from Suppo’s hacked Twitter account highlighted a few of the messaging apps “doing security right,” including Guardian Project, Whisper Systems and the Tor Project. Telegram, another secure messaging app, saw five million downloads last week after WhatsApp was purchased by Facebook and shortly after experienced downtime.

As the concept of secure chatting continues to be made more mainstream, more of these secure apps will come into market, and there is definitely a market for them. The tricky part, it seems, is getting the whole security part right. 

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Jump to Category