Nothing Chats app, which was released by Nothing at the beginning of last week, was temporarily removed from the Google Play Store by the company. A security vulnerability was detected in the Nothing Chat application, which was removed from the Google Play Store due to a software error. Here are the details…
Nothing Chat removed from Google Play Store due to security vulnerability
According to extensive technical analysis by Rida F’kih and Twitter users @batuhan and @1ConanEdogowa, messages transmitted over Nothing’s servers are not end-to-end encrypted, as claimed by Nothing’s service provider Sunbird.
The Nothing Chats app requires registration with an Apple ID. The company, which keeps user and message information on Sunbird servers, does not end-to-end encrypt the messages sent as claimed. Also, as discovered by testers, the JSON Web Tokens, or JWTs, generated by the service are sent unencrypted to another Sunbird server without SSL.
In Nothing Chat, messages are encrypted and stored on Sunbird servers, giving an attacker the chance to access them before the user does. The team that identified the vulnerability demonstrated this by sending several messages between two devices and compromising JWT.
According to the published report, malicious actors can intercept their own messages when they send messages between two devices by writing a few lines of code. They can do this by being connected to the same network as any of the devices being messaged.
What do you think about this issue? You can share your ideas with us in the comments section.