November 21, 2024
Puffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With App

Posted March 4, 2014 at 6:43am by iClarified
Puffchat, an app that claims to let you send vanishing messages like SnapChat, has been exposed for being incredibly insecure, saving deleted messages, and making supposedly deleted photos accessible via the web.

User Thomas Hedderick first discovered the serious insecurities with the application. After attempting to contact someone from the app several times without reply, he posted this blog post to warn other users.

Searching for anyone in the app gives you their username, birthday, and email which is already a security concern.


You can then use that information to perform nearly any operation in the API without access to the account or their device. To make matters far worse, nothing is deleted automatically (even when the message is read).

You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude dickpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page. Proof? Here you go

TUAW tested this themselves and found that "you have the ability to view a user's friends list, birthday, and both sent and received text and photo messages. I set up two of my own Puffchat accounts to test this, sending a photo from one to the other, viewing it, and then fetching it via web browser after the fact. It's a bit of a joke."

Worst of all, PuffChat Michael Suppo is threatening Hedderick for exposing his app.


This is a friendly message to advise that you remove all web based content about Puffchat, including http://faptrackr.org/blog/?p=70

Please remove within 1 hour. All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).

Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him.


We strongly recommend you 'manually clear your feed' which appears to delete the message logs and stop using the application, at least until its issues are resolved.


Puffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With App

Puffchat Threatens User After He Exposes Serious Security Problems With AppPuffchat Threatens User After He Exposes Serious Security Problems With App
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (6)
You must login or register to add a comment...
ApfelStrudel
ApfelStrudel - March 4, 2014 at 9:41pm
Went to the PuffChat Facebook page to post a link to this article. Posted it. 10 seconds later it was gone, and commenting was no longer possible on the PuffChat page. Somebody's got something to hide. Gosh. Be better if the guy just said "My bad. Sorry. Stay tuned. I'll fix it. Meanwhile don't use it." Then he'd stand a chance of resurrection. But by stonewalling his potential users, he is shooting himself in the foot. And that won't disappear in ten seconds.
Nick
Nick - March 4, 2014 at 4:57pm
Haha how can the developer honestly expect people to remove facts about a product that is publicly available. Talk about someone wanting to try and hide everything bad about an app they claimed to be "secure". Pathetic.
Will
Will - March 4, 2014 at 4:18pm
You do realize this isn't about Snapchat, right?
Downs
Downs - March 4, 2014 at 9:59pm
Apparently not
kssst
kssst - March 5, 2014 at 8:49am
This article wasn't about Snapchat...
Diggy
Diggy - March 4, 2014 at 7:31am
This developer needs a slap. The guy who exposed it needs a reward.
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Ventura
Where to Download macOS Sequoia
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS