- Freedom Chat exposed users’ phone numbers and PIN codes due to two major security flaws
- A misconfigured server allowed attackers to brute force phone numbers, while a second bug leaked PINs to everyone on a default public channel.
- After media escalation, the company fixed the issues and forcibly reset all user PINs.
Messaging app Freedom Chat reportedly had two major security vulnerabilities that allowed malicious actors to expose users’ phone numbers and PIN codes, experts reported.
Security researcher Eric Daigle revealed that Freedom Chat suffered the same misconfiguration as WhatsApp, when it exposed the phone numbers of 3.5 billion users.
The app’s servers allow anyone to try to guess users’ phone numbers indefinitely, to see if they get a match.
Reset PIN
The second bug leaked people’s PIN codes. Daigle said he used an open source network traffic inspection tool to analyze data moving through the app and found that the app would respond with each user’s PIN code in the same public channel, even if app users couldn’t see the codes.
Daigle claims that anyone who subscribed to the default Freedom Chat channel broadcast their PIN to everyone else. Unfortunately, everyone who signs up is automatically subscribed to this channel, meaning that if someone gets their hands on your device, they could easily unlock the app.
To make matters worse, if we assume that people use the same PIN code across multiple services, this could also put other apps and tools at risk, including credit cards, crypto wallets, and social media accounts.
Fortunately, unlike WhatsApp which has billions of users, Freedom Chat is a newly launched app that has approximately 2,000 users.
Daigle attempted to contact Freedom Chat, but since there is no official way to report bugs, he was unable to get the company’s attention. However TechCrunch He managed to contact founder Tanner Haas directly, who later confirmed that the company released a new version and reset everyone’s PINs.
“A critical reset: A recent backend update inadvertently exposed user PINs in a system response,” the company said on its App Store update page.
“No messages were at risk and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we have reset all user PINs to ensure your account remains secure. Your privacy remains our top priority.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
