Though niche it may be, the recently released Nothing Chats has been a godsend for some people, especially in the US, where a great disparity exists between Apple and Android users. Regardless of the reasoning, dreams of seeing that blue bubble on an Android device [or more specifically, the Nothing Phone (2) ] will have to wait, as the titular app has been pulled from Google Play.
Since its launch, the Sunbird-developed app has proven to be a privacy nightmare as it lacks end-to-end encryption, while it is alleged that all messages that go through it are easily accessible and are public. Furthermore, it should be noted that the app requires the user to trust Sunbird, which in turn will log in to the user’s iCloud accounts on its own Mac Mini Server.
This shocking news and the app’s subsequent removal came after a blog post from Text.com caught mainstream attention, where it listed all known issues found in the system. After a few lines of questioning over on X, formerly known as Twitter, it was revealed that Sunbird was using HTTP as a basis for the app and that it was secure when, in actuality, it was anything but.
The blog went so far as to break down the process in detail; with only a few lines of codes, any message that has gone through the system can be downloaded. Worryingly, this process can even be automated if the coder is willing to put in the elbow grease. Proof of this vulnerability has been published on Github to show what makes this system tick.
Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.
But Sunbird logs messages, pretending they are errors.
Here are part of the requests (img 1, 3) and their entire “message” (img 2, 4) pic.twitter.com/pzwwQVWfOb
— Dylan Roussel (@evowizz) November 18, 2023
Further digging revealed that, aside from its lack of encryption, messages and documents of any kind are public – sneakily pretending to be errors in the code. Additionally, it was pointed out that the use of HTTP can also potentially result in users’ having their email addresses leaked.
Following this news, Nothing has confirmed to 9to5Google that they have removed the app from Play Store, and will be delaying its official release to fix its “several bugs.” The term which the company used to describe the issue is pretty much an understatement, as it has actually sparked a heated discussion in regards to its stance in transparency.
(Source: The Verge, Text.com, 9to5Google)
Follow us on Instagram, Facebook, Twitter or Telegram for more updates and breaking news.