Puffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With App

Posted by · 14100 views · Translate
Puffchat, an app that claims to let you send vanishing messages like SnapChat, has been exposed for being incredibly insecure, saving deleted messages, and making supposedly deleted photos accessible via the web.

User Thomas Hedderick first discovered the serious insecurities with the application. After attempting to contact someone from the app several times without reply, he posted this blog post to warn other users.

Searching for anyone in the app gives you their username, birthday, and email which is already a security concern.

You can then use that information to perform nearly any operation in the API without access to the account or their device. To make matters far worse, nothing is deleted automatically (even when the message is read).

You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude dickpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page. Proof? Here you go

TUAW tested this themselves and found that "you have the ability to view a user's friends list, birthday, and both sent and received text and photo messages. I set up two of my own Puffchat accounts to test this, sending a photo from one to the other, viewing it, and then fetching it via web browser after the fact. It's a bit of a joke."

Worst of all, PuffChat Michael Suppo is threatening Hedderick for exposing his app.

This is a friendly message to advise that you remove all web based content about Puffchat, including http://faptrackr.org/blog/?p=70

Please remove within 1 hour. All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).

Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him.


We strongly recommend you 'manually clear your feed' which appears to delete the message logs and stop using the application, at least until its issues are resolved.


Puffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With App
ApfelStrudel - March 4, 2014 at 9:41pm
Went to the PuffChat Facebook page to post a link to this article. Posted it. 10 seconds later it was gone, and commenting was no longer possible on the PuffChat page. Somebody's got something to hide. Gosh. Be better if the guy just said "My bad. Sorry. Stay tuned. I'll fix it. Meanwhile don't use it." Then he'd stand a chance of resurrection. But by stonewalling his potential users, he is shooting himself in the foot. And that won't disappear in ten seconds.
Nick - March 4, 2014 at 4:57pm
Haha how can the developer honestly expect people to remove facts about a product that is publicly available. Talk about someone wanting to try and hide everything bad about an app they claimed to be "secure". Pathetic.
NoGoodNick - March 4, 2014 at 4:01pm
With an attitude like that, Snapchat deserves to go down in flames. Rather than addressing issues and cleaning up their act, they'd rather call down the lawyers and attack anyone who complains that they're ripping people off. Snapchat is a scam. It's an open lie trying to make your secure data accessible to everyone BUT you!
Will - March 4, 2014 at 4:18pm
You do realize this isn't about Snapchat, right?
Downs - March 4, 2014 at 9:59pm
Apparently not
3 More Comments
Recent