User Credentials at Risk Due to Unaddressed Security Flaw in CMF Watch App
Nothing, a London-based startup founded by Carl Pei, has resolved a security vulnerability that affected the compassion app of the recently launched CMF Watch Pro. According to the report, this vulnerability can expose the email and password that the user used to register on the platform.
Notably, this comes just weeks after Nothing made headlines for partnering with SunBird to bring iMessage to the Nothing Phone 2 via the Nothing Chat app, only to be marred by controversy after SunBird allegedly reneged on its claims to encrypt outgoing messages. using the service as they claimed.
For the uninitiated, CMF is a new sub-brand of Nothing that is said to focus on design that won’t break the bank.
What is the security issue with CMF Watch Pro?
According to 9to5Google contributor Dylan Roussel, Nothing allegedly partnered with another company, Jingxun, on the app, but the real problem is with the app’s encryption, which is used as standard for passwords and the email users sign up with. But at the same time, “the encryption method used also made it possible to decrypt the email and the password using the exact same keys,” Roussel noted.
He added: “Essentially, anyone who got their hands on the encrypted email and password could have decrypted them, effectively rendering the encryption useless.”
Partial repair of the company’s problems
Dylan Roussel notes that the brand has released a partial fix, and now in the latest update to the support app, the company has released a partial fix, but says the risk still exists. It has also issued a statement to 9to5Google about the matter, confirming that it is working to fix the rest of the issue.
Moreover, after this incident, the brand has also opened an official channel where users can report security holes to the team so that appropriate action can be taken.