Puffchat twitter header

Puff Puff… Pass.

“It’s a texting alternative to Snapchat, where you can send self-destruct texts to contacts, great for confidentiality/discreet messages that you want permanently erased.” – Michael, CEO & developer of Puffchat.

[Image removed]

Puffchat popped up on my Facebook Timeline this week with the claim of being a ‘secure’ alternative to Snapchat. It has a nice user base  for what it is with the dev claiming over 11,000 users… not bad, but is it secure?

Puffchat’s registration asks for three pieces of information – Email, Password, & your Date of Birth. If these are acceptable it then asks for your desired username  & access to your contacts. A lot of applications these days ask for access to your contacts, yet a lot handle your data incorrectly. One of the first things Puffchat does is upload your address book (via HTTP) to their ‘secure’ severs, along with some registration data and a unique device key to link the account to your phone.

The application communicates with a REST API hosted on http://www.puffchat.me/ and has a couple of modules that do various operations; every request sent from the app has a key argument that holds a secret (not-so-secret) key. We all know you can’t keep a secret key secret in a binary, you can try and hide it but not only is it pretty futile, in this case it wasn’t done at all.

So Secret. Much InfoSEC.

So Secret. Much key. Very hidden.

Turns out that searching for anyone gives you their registered username (not bad), birthday (wait what?), and registered email (which is shown in the app under their username). So by searching for a user you get three really nice pieces of information about them, and a lot of people still use their birthdays as their PINs, passwords, or security questions.

{“success”:true,”data”:{“user_name”:”test”,”birthday”:”1980-02-20″,”email”:”***@***.***”}}

Not only that, but you can do almost any operation in the API on any account without access to the account or local access to the device . Proof? Well you can go ahead and send a friend request to yourself from any account you want –  the CEO in this case.

POST puffchat.me/

key -> dl81Vh2uorfNdj2Rt2M4EylW91uUsQRZwhQ99g7K0MRXeMYePS
moduleName -> addFriendRequest
userName -> michael
userEmail -> michael***@***.*** 
friendName -> ***@***.***
friendEmail -> ***@***.***
Michael Puffs


Turns out you can send them on other’s behalf too

 

 Here comes the kicker;

Nothing is deleted automatically (even when the message is read). It’s all their in the API responses.

{“success”:true,”data”:[{"id":"***","sender":"***","sender_email":"***@***",
"receiver":"***","receiver_email":"***@***",
"text":"hi babe send me back","filename":"***","time":"***",
"duration":"10","status":"Read","is_taken_screenshot":"0"}

You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude dickpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page. Proof? Here you go:

[Image removed]

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.

It’s only saving grace is that it appears to delete the message logs if you manually clear your feed, still a far way off being secure.

6 thoughts on “Puff Puff… Pass.

  1. Anon

    Why do you set a font-weight: 300; in your css?

    Doing so creates a very thin, whispy font that is almost impossible to read.

    Reply
    1. Ninja Post author

      Yeah I went ahead and got someone to change it to a default theme – I don’t know why it was doing that :/

      Reply
  2. Nick

    Scroll down Suppo’s Twitter feed far enough (don’t waste your time reading it!) and you find one of his previous projects — some Facebook knock-off (how original) specifically for Newbury chavs like Suppo aka http://www.thetownbook.co.uk . Perhaps to be expected from some humorous Suppo tweets complaining about running a “business app” on sub-standard hosting providers, I guess we really should not be surprised that http://www.thetownbook.co.uk uses non-HTTPS login pages and non-HTTPS registration pages.

    Maybe “Security-fail” is Mike’s middle name?

    It is clear that should you use anything at all IT-related to which he has had any input, you should do so with extreme caution!

    Reply
    1. Anonymous

      So you’d be correct -
      You can go back further still:
      http://www.linqsta.com is another project of his, another attempt at social networking. I don’t actually think he does anything himself and here is my evidence straight from the horses mouth (please note ,the name above the message isn’t actually the sender, but thankfully they sign it anyway), these are his private messages from his linqsta.com account –

      http://s22.postimg.org/eqw48g4zj/developers.png

      P.S. – There are much bigger security holes on TheTownBook than the lack of SSL, and LinQsta is even funnier.

      Bonus Content:
      http://www.linqsta.com/user_photo/ – His long history of protecting user privacy.

      The guy is a fraud and another person trying to cash in, it was already clear for the lulzy state of PuffChat but this further solidifies his place as a charlatan.

      Reply

Leave a Reply

Your email address will not be published.

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>