Messaging app JusTalk leaks millions of unencrypted messages – TechCrunch


Popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security flaw proved the app to be neither secure nor encrypted after a huge cache of users’ unencrypted private messages was discovered online.

The messaging app is widely used across Asia and has a thriving international audience with 20 million users worldwide. Google Play listings JustTalk Kids:which is considered a kid-friendly and compatible version of its messaging app, with over 1 million Android downloads.

JustTalk says both of its apps are end-to-end encrypted, where only the people in the conversation can read its messages, and boasts on its website that “only you and the person you’re communicating with can see, read or listen to them. The JusTalk team will not access your data.”

But a review of the massive cache of internal data seen by TechCrunch proves those claims to be false. The data includes messages from millions of JusTalk users, along with the exact date and time they were sent, as well as the sender’s and recipient’s phone numbers. The data also contained records of calls made through the app.

Security researcher Anurag Sen found the data this week and asked TechCrunch for help reporting the company. Juphoon, the Chinese cloud company behind the messaging app, said it launched the service in 2016 and is now owned and operated by Ningbo Jus, which appears to be share the same office listed on Juphoon’s website. But despite multiple efforts to reach JusTalk founder Leo Levy and other executives, our e-mail failed. the emails were not acknowledged or returned, and the company made no attempt to fix the leak. A text message to Lv’s phone was marked as delivered but unread.

Because each message recorded in the data contained all the phone numbers of the same conversation, it was possible to track all conversations, including those of children using the JusTalk Kids app to talk to their parents.

The internal data also included the granular location of thousands of users collected from users’ phones, with large clusters of users in the United States, United Kingdom, India, Saudi Arabia, Thailand, and mainland China.

According to Sen, the data also contains records from a third app. JustTalk 2nd phone number, which allows users to create virtual, temporary phone numbers to use instead of providing their personal cell phone number. A review of some of these records reveals both the user’s cell phone number and any temporary phone numbers they have created.

We don’t disclose where or how the data is obtained, but are weighing public disclosure after we find evidence that Sen was not alone in discovering the data.

This is the latest data leak in China. Earlier this month A huge database of nearly 1 billion Chinese people has been collected from a Shanghai police database stored on Alibaba’s cloud, and some of the data has been released online. Beijing has yet to publicly comment on the leak, but there have been references to the breach on social media widely censored.





Source link

Leave a Reply

Your email address will not be published.