Nothing Chat Catastrophe - More Vulnerabilities Discovered in iMessage Clone

Nothing Chat Catastrophe - More Vulnerabilities Discovered in iMessage Clone

Designed to provide an Android version of Apple's iMessage, Nothing's recently announced new messaging app, Nothing Chats, has failed like a lead balloon: just one day after its release on the Google Play store, Nothing shut down the app due to serious security concerns Now, two more vulnerabilities have reportedly come to light

As discovered by Android Authority, Android developer and reverse engineer Dylan Roussel, who previously made an internal accusations, and recently shared two additional vulnerabilities centered around Nothing's infrastructure on X [The first vulnerability, discovered in September, was found in the CMF Watch app, which was allegedly developed jointly by Nothing and a company called Jingxun; according to Roussel, the app successfully encrypted both email and password information, but the used encryption method was not secure Anyone with access to the same decryption key would have all the tools to decrypt the information, thus defeating the purpose of encrypting the information in the first place

According to Roussel, Nothing/Jingxun has since addressed this vulnerability, but the fix only works for passwords It is said that it is still possible to decrypt an e-mail address used as someone's user name

The second vulnerability is said to be related to Nothing's internal data, although exact details have not been disclosed The company was made aware of the issue in August, but has not yet patched it

In a statement to Android Authority, a spokesperson for Nothing said that the company is currently working to resolve the issue:

"CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app We are investigating the issue We fixed the initial credentialing concerns earlier this year and are currently working to resolve the issues raised We plan to distribute an OTA update to all CMF Watch Pro users as soon as this next fix is complete"

The representative added that it is now easier to file security reports on CMF's Security Vulnerability Report page

Roussel previously exposed how Sunbird, the Nothing Chats platform, decrypts messages via HTTP and sends them to Firebase's cloud sync server, where they are stored in unencrypted plain text Therefore, Sunbird's messages are publicly available and unencrypted through Firebase's real-time database He also noted that Sunbird also has access to these messages because they are logged as errors by the debugging service Sentry

Nothing Chats' official page confirms that the beta version of the app has been pulled from the Play Store, and the company now says that it is "delaying the launch until further notice" until "some bugs" are fixed

One of iMessage's biggest selling points is that it offers end-to-end encryption by default Apple cites additional security as one of the reasons it will adopt the RCS messaging standard next year In both cases, your messages are secure and inaccessible to third parties, including Apple Instead, Nothing promised end-to-end encryption and only stored texts publicly in plain text; it remains to be seen if Nothing can recover from this blunder

Categories