Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Why Nothing Chats is ...

 Privacy

The Nothing Chats app is a messenger created by the developer of the quite popular smartphone Nothing Phone — yet another iPhone killer. The main selling point of Nothing Chats is was the promise of giving Android users the ability to fully communicate using iMessage — a messaging system previously available only   show more ...

to iPhone owners. However, Nothing Chats was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, the application had to be removed. Lets delve into this in more detail. Nothing Chats, Sunbird, and iMessage for Android The Nothing Chats messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from Nothing had plans to allow owners of a Nothing Phone (which is Android-based) to communicate with iOS users through iMessage. By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked. The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide Nothing Chats with the login and password to their Apple ID account (and if they dont have one yet, they need to create one). After this, to indirectly quote the video, on some Mac mini somewhere on a server farm, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the users smartphone to the iMessage system, and vice versa. To give credit where credit its due, at the end of the sixth minute, the author of the video makes a point of emphasizing that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesnt belong to you, located who knows where, is a very, very bad idea for a number of reasons. The coveted blue message clouds of iMessage — the main promise of Nothing Chats The Nothing company made no secret of the fact that iMessage for Android was not their own development. The company partnered with another company, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed. Nothing Chats and security issues After the announcement, suspicions immediately arose that Nothing and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone elses device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature Find My To reassure users, both Sunbird and Nothing asserted on their websites that logins and passwords arent stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure. Sunbirds website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isnt true) However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were delivered by Nothing Chats in unencrypted form to two services simultaneously — the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages. The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption And if that still wasnt enough, not only Sunbird employees but anyone interested could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of all users of the messenger — as mentioned earlier, all this data was sent to Firebase in plain text. Once again: despite assurances of using end-to-end encryption, any message from any user on Nothing Chats and all files sent by them — photos, videos, and so on — could be intercepted by anyone. Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere — doesnt it make you want to cry? One of the researchers involved in analyzing the vulnerabilities of Nothing Chats/Sunbird created a simple website as proof of an attacks feasibility, allowing anyone to see that their messages in iMessage for Android could indeed be easily intercepted. Shortly after the vulnerabilities were made public, Nothing decided to remove their app from the Google Play Store to fix a few bugs. However, even if Nothing Chats or Sunbird: iMessage for Android returns to the store, its best to avoid them — as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, its very easy to make catastrophic mistakes that put users data at extreme risk. What Nothing Chats users should do now If youve used the Nothing Chats app, you should do the following: Log into your Apple ID account from a trusted device, find the page with active sessions (devices youre logged in to), and delete the session associated with Nothing Chats/Sunbird. Change your Apple ID password. Its an extremely important account, so its advisable to use a very long and random sequence of characters — Kaspersky Password Manager can help you generate a reliable password and store it securely. Uninstall the Nothing Chats app. You can then use a tool created by one of the researchers to remove your information from Sunbirds Firebase database. If youve sent any sensitive information through Nothing Chats, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. Kaspersky Premium will help you track possible leaks of your personal data linked to email addresses or phone numbers.

 Breaches and Incidents

The company has not provided information on whether any data was compromised or how the attackers breached its systems. London & Zurich has stated that it is working to restore its services by the end of the week.

 Trends, Reports, Analysis

Between November 1 and November 14 this year, security vendor Egress detected a 237% increase in phishing emails relating specifically to Black Friday and Cyber Monday, versus the period September 1-October 31.

 Feed

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. “These encoded Kubernetes configuration secrets were uploaded to public repositories,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week. Some of those impacted include two top blockchain

 Feed

Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region. “Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar

 Feed

The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new HasMySecretLeaked service. They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How

 Feed

More details have emerged about a malicious Telegram bot called Telekopye that's used by threat actors to pull off large-scale phishing scams. "Telekopye can craft phishing websites, emails, SMS messages, and more," ESET security researcher Radek Jizba said in a new analysis. The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a

2023-11
Aggregator history
Friday, November 24
WED
THU
FRI
SAT
SUN
MON
TUE
NovemberDecemberJanuary