Puff Puff… Pass
faptrackr.orgTerrible response by the Puffchat guy: https://twitter.com/MikeSuppo (Google Play's dev listing goes to the Puffchat blogspot site, which links to this Twitter account.)
"This is a friendly message to advise that you remove all web based content about Puffchat"
"Please remove within 1 hour."
"Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him."
Maybe. But a publicity stunt that highlights findings that run counter to what you're trying to sell the platform on seems dubious.
No such thing as bad publicity. It gets the brand known "oh, yeah, puffchat, I've heard of that, can't remember why", and if they tell users that it's secure often enough, no amount of evidence that it isn't will make any difference - humans respond more strongly to an authoritative voice than to objective reality.
> @iH8sn0w @NinjaLikesCheez All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).
Hahaha, that is a pretty hilarious bit of fail, there. I don't think it could really be intentional... it might make him kinda famous (in a probably unwanted way) but it won't net him new users.
https://twitter.com/sexysez95_sarah - fake account promoting puffchat seems pretty sleazy. https://twitter.com/Queenselfie96 also seems suspicious
Yeah they are pretty awful, the funny thing is they're the most popular accounts on the app :/
This is what reverse google image search says:
https://www.google.com/search?tbs=sbi:AMhZZitfuTwYMbUV9Yv-cR...
Her actual account: https://twitter.com/rachelburr1
https://www.google.com/search?tbs=sbi:AMhZZivEFJQlM8ezy2mFjo...
And her account: https://twitter.com/ashleeholmes
Either they really like puffchat and they made separate account to promote it, or the pictures were stolen and the accounts are fake.
Yeah I did an image reverse on a couple of her pictures earlier: https://www.google.com/search?tbs=sbi:AMhZZisLJGBQtjlgs7XolU...
Most of the stuff she sends you can see the pixels of the computer screen she is taking them on haha
I'm not seeing where the "intimidates security researcher" part mentioned in the title comes in. Am I missing something?
Seems the founder thinks he can suppress speech through tweeting: https://twitter.com/NinjaLikesCheez/status/44064551256879513...
Thanks for the link! I thought I was taking crazy pills.
You can read the founder's response to the disclosures on Twitter https://twitter.com/MikeSuppo
Reading his responses, the entire app feels like a bad attempt at trolling.
In any case, nice write up. I enjoyed reading it.
And it is all over the internet:
Blog’s going offline while we bump the specs so we can deal with all the traffic, bear with.
I expect to see some articles tomorrow.
First one: http://www.tuaw.com/2014/03/03/snapchat-competitor-puffchat-...
I'm not too impressed with the blog's author either. He documents breaking into another website in a previous blog post: http://faptrackr.org/blog/?p=45
That website hosted pirated copies of iOS apps, so it's not as bad as it seems.
It seems OP is in similar business.
Piracy is not the only reason why you would decrypt an app.
Exactly. A lot of people don't know that you can easily crack a .ipa binary and see things like method names and string constants with about 5 minutes of work. You can do the same with Android .apk files. Seriously, if you're doing security intensive software, try to crack your own binary and see what information you can get. You'll probably see way more than you thought you would.
As did a site the author was running, by my read. Responsible disclosure is one thing, but I won't support defacing of websites.
Don't throw the baby out with the bathwater, as they say.
Agreed, but it makes me wonder if we can trust the author's description of his disclosure efforts. Not that that gives a free pass to the app developer(s), of course.
You're right, it is silly, it was a dumb thing to do - but most_unique was actively commiting credit card fraud of innocent people to run his site and wasn't going to stop anytime soon.
It was the content of the article, and not the title of the blog that left the bad impression?
Take a look at vaportstream. They have ephemeral messaging that leverages vram to hide the messages from the kernel. Pretty secure.
They really need to make a secure version of this app. You'd be saving thousands of burner phones from entering landfills.
Aren't burner phones that way because you want to ditch the entire phone to erase any link to you after using it in an incriminating way?
Even if this app was "secure", it wouldn't prevent the need to ditch a phone. LE can subpoena the company, find out which IP:port connected for whatever user/message. Then go to cell company and get records and track the cell.
Get an android and use textsecure if you actually care about people not reading your messages.
If you're using a burner I doubt the environment is your topmost concern.
Why would you even consider using this app?
1. Create snapchat alternative to try to harvest sensitive content & info. 2. Profit.
There is no platform or space, in someone else's control, that you can or should trust this way.
From Founders twitter:
> provide evidence that can be used against him.
So is the founder trying to mount a legal case against him for hacking?
11 (or is it 12?) months in, Andrew "Weev" Auernheimer is still serving a 3-year conviction (on appeal now) for "hacking" the AT&T iPad signup script to get email addresses out of it ... using a web request and random numbers. In case that's not clear enough, it was published, public data waiting to be requested, no security restrictions except the numbers to be guessed. I'd say that's the same for any such "private" (hah!) service that uses ID numbers to access data over public channels, wouldn't you?
@notacop See what great work you could be doing if you would participate in the year of code?
Ultimate Streisand effect - I have literally never heard of this app that seems geared towards drug users; and yet I learn about it from it's incompetance.
How do people release public API's without THE MOST BASIC OF SECURITY CHECKS. Really? You can add a friend without any checks and even send messages as someone else? Christ.
A) Who funds these guys?
B) How can I get a piece of that seemingly-easy-as-hell-to-get pie?
I triggered executive-level uproar just yesterday by pointing out what should have been obvious security issues in an API we were about to be asked to integrate with. I was not the first technical person to look at the document we were given, and in fact I was the only one to look at it who couldn't actually read it in detail (it was in Chinese, I only speak English, but the identifiers were in English), but nobody else had spotted the problem.
I'm not a roving security consultant, so my sample size is limited, but I have seen little evidence that even basic security awareness is part of the toolkit any substantial number of developers have.
I was a security specialist at a large software company for a couple of years, and I did some developer training.
> I'm not a roving security consultant, so my sample size is limited, but I have seen little evidence that even basic security awareness is part of the toolkit any substantial number of developers have.
My experience matches yours.
Agreed, and I think that's when a (good) CS education makes the difference, by helping you grasp how t design and code for security, which are fundamental concepts that a lot of "junior" developers have no clue about. And then you see the same basic attack vectors creeping up all the time...
I have no CS education. I don't have any degree, or even a high school diploma. Most of those around me have had CS or related degrees, many from quite well-regarded programs, but there has been no apparent correlation to security awareness. To the extent they have an edge, it's in mathematical analyses and algorithm design/implementation[0], which are of limited direct use in most day-to-day things like noticing "this endpoint uses plain HTTP", "this isn't an HMAC, also serial numbers aren't secret keys", or "a 4-digit PIN is not a secure password".
[0] And even then, I've wondered more than once what the hell goes on in CS programs when I've found myself explaining concepts like entropy and the difference between speed and scalability.
I can definitely see a developer's concerns being brushed aside as a "business decision" on the grounds that growing their userbase or adding new features is more important to the startup's survival than security at that time.
It's actually a pretty damn good line, and I think it's really, fantastically hard to know when your ethical responsibility as an engineer starts to outweigh your obligations as an employee.
Hmm, did you just post this "disclosure" on your blog before informing the company? Well, now everyone is at risk if your claims are true. Poor form.
Proper course is to disclose to company first, then disclose after fix is in place in reasonable amount of time. Why risk everyone for your benefit?
"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."
At the bottom of the post it does state:
In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.
Everyone was already at risk, but they didn't know it. They were already downloading this content to devices everywhere.
He also says that he tried to contact the developer but got no response.
The dev would have been much better off apologizing, pushing a fix, and asking for a temporary embargo while the fix is put into place.
FTA:
"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."
As you can read in the article, he did try to contact the developer.
That aside, though, when the issues are this egregious I'm honestly not sure what the right approach is. With flaws this bad it's hard to imagine that they're even capable of fixing the problems, let alone responding appropriately to the disclosure.
They seem like really easy problems to fix, too.
Puffchat put people at risk.
Fuck "Responsible Disclosure" in cases of utter incompetence like this.
TFA states precisely this:
"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."
This needs to be a part of ThatHigh.com :)
Except, you know, not sketchy.