The popular video calling and messaging app JusTalk claims to be secure and encrypted. But a security flaw proved the app was neither secure nor encrypted after a huge cache of users’ unencrypted private messages was discovered on the network.
The messaging app is widely used in Asia and has a rapidly growing international audience with 20 million users worldwide. Google Play Lists JusTalk Kidsbilled as a kid-friendly and compatible version of the messaging app with over 1 million downloads for Android.
JusTalk says that both of its apps are end-to-end encrypted and only the participants in the conversation can read its messages, and boasts on its website that “only you and the person you’re chatting with can see, read, or listen to them: even the team JusTalk will not access your data!”
But a review of the huge cache of internal data that TechCrunch saw proves that these claims are not true. The data includes millions of JusTalk user messages, as well as the exact date and time they were sent, as well as the phone numbers of the sender and recipient. The data also contained records of calls that were made using the app.
Security Researcher Anurag Sen found the data this week and asked TechCrunch to help inform the company. Juphoon, the Chinese cloud company behind the messaging app, said it created the service in 2016 and is now owned and operated by Ningbo Jus, which apparently Share the same office as listed on the Juphoon website. But despite repeated attempts to contact JusTalk founder Leo Lev and other executives, our emails have not been verified or returned, and the company has made no attempt to fix the leak. The text message on Lev’s phone was marked as delivered but not read.
Since every message recorded in the data contained every phone number in the same chat, it was possible to track entire conversations, including those from children who used the JusTalk Kids app to communicate with their parents.
The internal data also included details of the location of thousands of users collected from users’ phones, with large user groups in the US, UK, India, Saudi Arabia, Thailand, and mainland China.
The data also contained entries from a third appendix, Sen said. JusTalk 2nd phone number, which allows users to generate virtual, ephemeral phone numbers instead of giving out their personal mobile number. An overview of some of these entries shows both the user’s mobile number and all the ephemeral phone numbers they generated.
We do not disclose where or how the data can be obtained, but are weighing in favor of public disclosure after we found evidence that Sen was not alone in discovering the data.
This is the latest data breach in China. Earlier this month A huge database of about 1 billion people in China was extracted from the Shanghai Police database stored in the Alibaba cloud, and some of the data was published on the Internet. Beijing has yet to comment publicly on the leak, but links to the breach on social media have been widely censored.
Credit: techcrunch.com /