Monday, March 3, 2014

Puffchat Fail. By @NinjaLikesCheez

The following content below was produced by @NinjaLikesCheez and mirrored for archiving purposes.
Original Source:
"It's a texting alternative to Snapchat, where you can send self-destruct texts to contacts, great for confidentiality/discreet messages that you want permanently erased." - Michael, CEO -developer of Puffchat. "Everything is secure guys, and phone numbers aren't required for registration like Snapchat." - Michael. Image © Puffchat. Puffchat popped up on my Facebook Timeline this week with the claim of being a 'secure' alternative to Snapchat. It has a nice user base for what it is with the dev claiming over 11,000 users... not bad, but is it secure?

Puffchat's registration asks for three pieces of information - Email, Password, & your Date of Birth. If these are acceptable it then asks for your desired username & access to your contacts. A lot of applications these days ask for access to your contacts, yet a lot handle your data incorrectly. One of the first things Puffchat does is upload your address book (via HTTP) to their 'secure' severs, along with some registration data and a unique device key to link the account to your phone. The application communicates with a REST API hosted on and has a couple of modules that do various operations; every request sent from the app has a key argument that holds a secret (not-so-secret) key. We all know you can't keep a secret key secret in a binary, you can try and hide it but not only is it pretty futile, in this case it wasn't done at all.So Secret. Much InfoSEC.
So Secret. Much key. Very hidden.

Turns out that searching for anyone gives you their registered username (not bad), birthday (wait what?), and registered email (which is shown in the app under their username). So by searching for a user you get three really nice pieces of information about them, and a lot of people still use their birthdays as their PINs, passwords, or security questions.
Not only that, but you can do almost any operation in the API on any account without access to the account or local access to the device . Proof? Well you can go ahead and send a friend request to yourself from any account you want - the CEO in this case.

key -> dl81Vh2uorfNdj2Rt2M4EylW91uUsQRZwhQ99g7K0MRXeMYePS
moduleName -> addFriendRequest
userName -> michael
userEmail -> michael***@***.*** 
friendName -> ***@***.***
friendEmail -> ***@***.***
Michael Puffs
Turns out you can send them on other's behalf too

Here comes the kicker;

Nothing is deleted automatically (even when the message is read). It's all their in the API responses.
{"success":true,"data":[{"id":"***","sender":"***","sender_email":"***@***", "receiver":"***","receiver_email":"***@***", "text":"hi babe send me back","filename":"***","time":"***", "duration":"10","status":"Read","is_taken_screenshot":"0"}
You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude dickpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page. Proof?

Here you go:

Obviously censored to protect the poor guys pride.

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what's happening with their data. It's only saving grace is that it appears to delete the message logs if you manually clear your feed, still a far way off being secure.