The messaging app, Nothing Chats, which was recently released by Nothing, has been swiftly removed from the Google Play Store. The official reason given for this action is the need to fix “several bugs” before it can be relaunched, with an unspecified waiting period. However, there is growing evidence, highlighted by 9to5Google and other sources, indicating that the removal may be due to significant security vulnerabilities rather than just minor bugs.
Sunbird’s Fraudulent Claims
Rida F’kih of Texts.com along with Twitter users @batuhan and @1ConanEdogowa revealed some disturbing revelations about Nothing’s provider, Sunbird. The company allegedly misrepresented the end-to-end encryption of messages sent through its servers.
Previously, users who signed up for Nothing Chats had to log into Sunbird servers with an Apple ID hosted on a Mac mini running a virtual machine. Although Sunbird claimed to encrypt messages during transit to the servers, the investigating trio discovered a critical flaw. The JSON domain tokens (JWT) produced by the service were sent unencrypted to another Sunbird server that did not have SSL, allowing potential attackers to intercept them.
Security issues added that messages were encrypted and stored on Sunbird servers, giving attackers the opportunity to access them before the intended recipient. Texts.com demonstrated this vulnerability by intercepting JWTs and accessing Firebase’s live database with just 23 lines of code, resulting in the download of all user data and conversations.
No answer raises questions of transparency
The author went a step further by providing a website where users with coding expertise can intercept their own messages as they are sent between two devices, one using Nothing Chats.
Although the privacy breach is Sunbird’s full responsibility, Nothing, by ending cooperation with the company, gets involved. Furthermore, treating these significant security flaws as mere “bugs” raises questions of transparency.