User Thomas Hedderick first discovered the serious insecurities with the application. After attempting to contact someone from the app several times without reply, he posted this blog post to warn other users.
Searching for anyone in the app gives you their username, birthday, and email which is already a security concern.
You can then use that information to perform nearly any operation in the API without access to the account or their device. To make matters far worse, nothing is deleted automatically (even when the message is read).
You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude dickpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page. Proof? Here you go
TUAW tested this themselves and found that "you have the ability to view a user's friends list, birthday, and both sent and received text and photo messages. I set up two of my own Puffchat accounts to test this, sending a photo from one to the other, viewing it, and then fetching it via web browser after the fact. It's a bit of a joke."
Worst of all, PuffChat Michael Suppo is threatening Hedderick for exposing his app.
This is a friendly message to advise that you remove all web based content about Puffchat, including http://faptrackr.org/blog/?p=70
Please remove within 1 hour. All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).
Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him.
We strongly recommend you 'manually clear your feed' which appears to delete the message logs and stop using the application, at least until its issues are resolved.