JusTalk spanned millions of user messages and locations for months – Meczyki.Net

popular messaging apps JusTalk left a vast database of unencrypted private messages publicly exposed on the Internet for months without a password.

The messaging app has about 20 million international users, while Google Play lists JustTalk KidsBilled as a kid-friendly version of its messaging app, it has garnered over 1 million Android downloads.

JusTalk says that both of its messaging apps are end-to-end encrypted and claims on its website that “only you and the person you communicate with can see, read or hear them: even That even the JusTalk team won’t be able to access your data!”

But this is not true. According to a security researcher, a logging database the company used to track bugs and errors with apps was left on the Internet without a password. Anurag Senwho found the exposed database and asked Meczyki.Net for help reporting the lapse to the company.

The database and hundreds of gigabytes of data – hosted on Huawei-hosted cloud servers in China – can be accessed from a web browser just by knowing its IP address. Shodan, a search engine for exposed devices and databases, shows that the server had been consistently storing logs for the most recent month since at least the beginning of January when the database was first revealed.

Shortly after the app was reported not to be end-to-end encrypted, the database was shut down, the company claimed.

Xufun, the China-based cloud company behind the messaging app, says on its website that it spun out JusTalk in 2016 and is now owned and operated by Ningbo Jus, a company that appears to have share The same office that is listed on Xufun’s website.

Leo Love, chief executive of Jufun and founder of JuiceTalk, opened our emails but did not respond, or say whether the company plans to notify users about the security lapse.

Because the server’s data was littered with logs and other computer-readable data, it is not known exactly how many people’s private messages were exposed by the security lapse.

The server was collecting and storing more than 10 million personal logs each day, containing millions of messages sent to the app, including the phone numbers of the sender, recipient, and the message itself. The database also logged all placed calls, with each record containing the phone numbers of the caller and recipient.

Since each message recorded in the database contained every phone number in a single chat, it was possible to follow the entire conversation, including children who used the JusTalk Kids app to chat with their parents. Was doing. A conversation chain contained enough personal information to identify a pastor who was using the app to urge a sex worker to publicly list their phone number for their services, including at the time, The location and the price of their meeting are included.

None of the messages were encrypted, despite JusTalk’s claims.

We also reported earlier that the database also included fine-grained location data of thousands of users collected from users’ phones, along with large clusters of users in the US, UK, India, Saudi Arabia, Thailand and mainland China. The database also had records for the third app, JusTalk second phone number, which allows users to generate virtual, short-lived phone numbers to use instead of giving out their personal cell phone number. A review of some of these records shows that the database was logging both the person’s cell phone number and each ephemeral phone number they generated.

But Meczyki.Net found evidence that Sen was not alone in finding the exposed database.

An undated ransom note left on the database reveals that it was accessed on at least one occasion by a data extortionist, a bad actor who scans the Internet for databases exposed to steal it and data. Threatens to publish the cryptocurrency unless a ransom of a few hundred dollars worth of cryptocurrency is paid.

It is not known whether any JusTalk data was lost or stolen as a result of the extortionist’s access, but the blockchain address associated with the ransom note shows that he has yet to receive any funds.