iMessage wasn’t a security disaster, but was deleted within 24 hours – Ars Technica

It turns out that companies that prevent media security issues aren’t really good at security Last Tuesday, Nothing Chat — a chat app from Android maker Nothing and app startup Sunbird — claimed it was able to hack Apple’s iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had made empty promises on security for nearly a year and seemed redundant. The app however launched on Friday and was immediately ostracized across the internet due to numerous security issues. It took less than 24 hours to bring the Nothing app from the Play Store on Saturday morning. Sunbird, of which Nothing Chat is merely a redesign, has also been “paused”.

The app’s primary selling point — that it would log you into iMessage on Android if you revealed your Apple username and password — was a huge security red flag that meant Sunbird needed a highly secure infrastructure to avoid disaster. Instead, it turns out that the app isn’t as secure as it could have been. Here is the nothing statement:

How bad is the security problem? Both 9to5Google And Text.com (which is his automatically, the company behind WordPress) exposed very poor security practices. Not only was the app end-to-end encrypted, as Nothing and Sunbird repeatedly claimed, but Sunbird actually logged messages and saved them in plain text to both bug reporting programs. mail And In the Firebase Store. Authentication tokens are sent over unencrypted HTTP, so this token can be intercepted and used to read your messages.

Text.com’s investigation revealed several vulnerabilities. The blog states: “When a user receives a message or attachment, it is not encrypted on the server side until the client sends a request to confirm it and delete it from the database. This means that an attacker who subscribes to the Firebase Realtime DB will always be able to access messages before or at the moment they are read by the user.” Text.com can intercept the authentication code sent over unencrypted HTTP and subscribe to changes in the database. Live updates about “incoming and outgoing messages, account changes, etc” not only from themselves but also from other users.

Text.com published a Conceptual proof Applications that can retrieve your supposedly end-to-end encrypted messages from Sunbird servers. Stone Equus, a product engineer at Text.com, also released a tool that deletes some of your data from Sunbird’s servers. Içöz recommends that all Sunbird/Nothing Chat users change their Apple IDs immediately, cancel their Sunbird sessions, and “assume that your data has already been compromised.”

9to5Google Dylan Russell I checked the app and found that in addition to all public text data, “Nothing Chat and all documents sent via Sunbird (photos, videos, audios, PDFs, Vicards…) are public.” Russell found that Sunbird currently stores 630,000 media files, and it looks like he can access some of them. Sunbird advised app users to transfer vCards — virtual business cards full of contact information — and Russell said more than 2,300 users’ personal information could have been accessed. Russell called the whole fiasco “probably the biggest privacy nightmare I’ve seen from a phone maker in years.”

Despite causing this massive disaster, Sunbird remained strangely calm throughout the mess. There’s still nothing on the app’s X page (formerly Twitter) about shutting down Nothing Chat or Sunbird. That’s probably for the best, as some of Sunbird’s initial responses to security concerns raised Friday didn’t seem to come from a competent developer. In the beginning the company Protect its use Encrypted HTTP for some web transactions, Text.com’s Bajaria “HTTP is only used as part of the app’s first one-time request to inform the backend of the next iMessage connection frequency, which will follow through a separate communication channel. Sunbird focused on safety from the start.“An investigation into Text.com revealed that it was a load-balanced express server that did not implement SSL, making it easier for an attacker to intercept requests.” Using HTTP, Text.com was able to intercept authentication tokens

Modern security best practices state that using encrypted HTTP for online transactions is never acceptable, and many platforms block plaintext HTTP transfers entirely by default. Chrome displays a full-page warning when trying to access an HTTP page and prompts the user to click a warning message. Android Disable plain text A developer needs to run a special flag to allow the traffic and request to pass by default. Projects like Let’s Encrypt use HTTPS not only easy and free, but also simple Encrypt everything so you don’t have to deal with all the security hurdles. These are the basics of using the Internet in 2023, and it’s shocking to see a developer argue against them, especially when that developer also wants to trust your Apple account. It would be different if it was a big mistake, but Sunbird thought it was right!

It doesn’t always seem like an Android manufacturer has more hype than substance, but now we can add the word “laziness” to that list. The company partnered with Sunbird, redesigned its app and created a portfolio of Promotional website And YouTube videoAnd he coordinated with a media statement Famous YouTubersAnd all this without the slightest careful review of Sunbird’s app or safety claims. It’s incredible that these two organizations were able to get this far, as launching Nothing Chat required systemic security failures at two entire organizations.

Sunbird makes no claim that the app will come back if it “fixes a few bugs”. If your entire application seems to be built without any security concerns, I don’t see any way to fix it in a week or two. When Nothing Chat returns to the Play Store, will anyone trust them enough to enter their credentials?