- Freedom Chat has exposed users’ phone numbers and PINs in two major security breaches
- A misconfigured server allowed attackers to decrypt phone numbers, while a second flaw leaked PINs to everyone on a regular public channel.
- After a media escalation, the company fixed the issues and forced all users’ PINs to be reset.
According to expert reports, messaging app Freedom Chat had two serious security flaws that allowed malicious actors to leak users’ phone numbers and PINs.
Security researcher Eric Daigle again revealed that Freedom Chat suffered from the same misconfiguration as WhatsApp when it exposed the phone numbers of 3.5 billion users.
The app’s servers allow anyone to guess users’ phone numbers indefinitely to see if they find a match.
Reset your PIN codes
The second mistake leaked people’s PINs. Daigle said he used an open-source network traffic inspection tool to analyze data sent by the app and found that the app responded with each user’s PIN on the same public channel, even though app users couldn’t see the codes.
Daigle says everyone who signed up for the regular Freedom Chat channel had their PIN sent to everyone. Unfortunately, anyone who signs up is automatically subscribed to this channel. This means that if someone gets hold of your device, they can easily unlock the app.
Even worse, assuming people use the same PIN for multiple services, this could also compromise other apps and tools, including credit cards, crypto wallets, and social media accounts.
Fortunately, unlike WhatsApp, which has billions of users, Freedom Chat is a newly launched app with around 2,000 users.
Daigle tried to contact Freedom Chat, but since there is no official way to report bugs, he was unable to get the company’s attention. However TechCrunch We did so by contacting founder Tanner Haas directly, who then confirmed that the company had released a new version and reset everyone’s PINs.
“A critical reset: A recently updated backend accidentally released user PINs in a system response,” the company said on the App Store update page.
“No messages were compromised, and since Freedom Chat doesn’t support connected devices, your conversations were never accessible. However, we’ve reset all user PINs to keep your account secure. Your privacy remains our top priority.”