Latest in Privacy

Image credit:

Snapchat competitor Puffchat is incredibly insecure, founder threatens legal action

Mike Wehner, @MikeWehner
March 3, 2014
Share
Tweet
Share

Sponsored Links

Puffchat, a timed text and photo messaging client in the vein of Snapchat, is broken. So broken in fact that I, with very little knowledge in the way of HTTP sniffing, was able to access supposedly deleted photos and messages using a free-to-download security testing application. Yeah, it's that bad.

Remember, this is supposed to be a Snapchat competitor, and that company has already learned its lesson when it comes claiming that content has been deleted before it actually is. The iTunes description of Puffchat uses words like "vanishes" and "ultimate protection," but offers neither to the user. In fact, the images shot by Puffchat users are stored as simple JPEG files on the company's Puffchat.me server which can be accessed freely as long as you know the address.

If you can monitor and tweak HTTP traffic between your iPhone and the web -- and there are a number of free programs that let you do just this -- you have the ability to view a user's friends list, birthday, and both sent and received text and photo messages. I set up two of my own Puffchat accounts to test this, sending a photo from one to the other, viewing it, and then fetching it via web browser after the fact. It's a bit of a joke.

Self-described hacker Thomas Hedderwick was the first to draw attention to how incredibly insecure the messaging service -- which boasts between 13,000 and 15,000 users -- really is. In a blog post, Hedderwick alerted users to the extremely lax security of the app and begged Puffchat founder Michael Suppo to do something about it.

Taking to Twitter, Hedderwick was ignored by both Suppo and the official Puffchat account even after pointing out how easy it is to bypass the app's thin guise of security. That is, until tonight, when Suppo alerted Hedderwick via Twitter that all mentions of Puffchat's security issues must be removed by 11:40 PM GMT, lest he be prepared for a legal battle.

Hedderwick's original post doesn't detail exactly how to access supposedly deleted photos -- as violating user privacy is the opposite of what he is trying to accomplish -- but the process is so simple that it's hard to not figure it out after seeing the commands the Puffchat app is sending back to its server. Needless to say, if you're currently using Puffchat, stop and wait for a fix.

As far as reassurance that the app is secure, Suppo has offered none, only to say that the service "will be fixed in due course." We'll keep an eye out for it, but in the meantime it seems like startups need to remember that security is paramount.

In this article: privacy, puffchat, security, snapchat
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
Tweet
Share

Popular on Engadget

Tesla is reportedly close to making a more affordable Model Y

Tesla is reportedly close to making a more affordable Model Y

View
Amazon-owned Ring is preparing its first smart light bulb

Amazon-owned Ring is preparing its first smart light bulb

View
A $13,000 electric car will go on sale in the US by late 2020

A $13,000 electric car will go on sale in the US by late 2020

View
Disney's new AI is facial recognition for animation

Disney's new AI is facial recognition for animation

View
Google's latest Chrome extension shows detailed ad-tracking data

Google's latest Chrome extension shows detailed ad-tracking data

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr