Nothing Chats, the emerging tech brand’s iMessage clone, has been taken down from the Google Play Store just days after the beta version was launched last week.
In its post on X, Nothing claims that its chats app was taken down due to “several bugs” and that they will be delaying the launch “until further notice” as they fix things with Sunbird, Nothing’s service provider.
However, there is evidence that suggests the issues are more than just bugs but instead some pretty substantial security issues. According to a thorough analysis of Text.com, Sunbird was caught lying about the end-to-end encryption of the messages passing through its servers.
- iMessage Effects Codes: Spice up your texts with special animations
- What is RCS messaging and should you use it?
Nothing’s first disclosure states that, for Nothing Chats to work, users have to sign in to the servers of Sunbird using their Apple ID, which runs on a Mac mini with a virtual machine. Sunbird claims that the messages sent to the servers are encrypted.
However, the researchers found out that the JSON Web Tokens (JWT) that the service generates are sent back, unencrypted, to another server of Sunbird without SSL. This will allow hackers to intercept them.
What’s more, the messages are decrypted and saved on the Sunbird servers, giving attackers enough time to get a hold of them before the user does.
So, how easy can anyone actually access the messages? The researchers demonstrated how only 23 lines of code it took to download all user information and conversations.
The researchers also presented a website where anyone with enough coding knowledge can easily intercept their own messages.
We’ll see how this case develops, so stay tuned for that.
Via: The Verge