Latest in Privacy

Image credit:

Snapchat competitor Puffchat is incredibly insecure, founder threatens legal action


Puffchat, a timed text and photo messaging client in the vein of Snapchat, is broken. So broken in fact that I, with very little knowledge in the way of HTTP sniffing, was able to access supposedly deleted photos and messages using a free-to-download security testing application. Yeah, it's that bad.

Remember, this is supposed to be a Snapchat competitor, and that company has already learned its lesson when it comes claiming that content has been deleted before it actually is. The iTunes description of Puffchat uses words like "vanishes" and "ultimate protection," but offers neither to the user. In fact, the images shot by Puffchat users are stored as simple JPEG files on the company's server which can be accessed freely as long as you know the address.

If you can monitor and tweak HTTP traffic between your iPhone and the web -- and there are a number of free programs that let you do just this -- you have the ability to view a user's friends list, birthday, and both sent and received text and photo messages. I set up two of my own Puffchat accounts to test this, sending a photo from one to the other, viewing it, and then fetching it via web browser after the fact. It's a bit of a joke.

Self-described hacker Thomas Hedderwick was the first to draw attention to how incredibly insecure the messaging service -- which boasts between 13,000 and 15,000 users -- really is. In a blog post, Hedderwick alerted users to the extremely lax security of the app and begged Puffchat founder Michael Suppo to do something about it.

Taking to Twitter, Hedderwick was ignored by both Suppo and the official Puffchat account even after pointing out how easy it is to bypass the app's thin guise of security. That is, until tonight, when Suppo alerted Hedderwick via Twitter that all mentions of Puffchat's security issues must be removed by 11:40 PM GMT, lest he be prepared for a legal battle.

Hedderwick's original post doesn't detail exactly how to access supposedly deleted photos -- as violating user privacy is the opposite of what he is trying to accomplish -- but the process is so simple that it's hard to not figure it out after seeing the commands the Puffchat app is sending back to its server. Needless to say, if you're currently using Puffchat, stop and wait for a fix.

As far as reassurance that the app is secure, Suppo has offered none, only to say that the service "will be fixed in due course." We'll keep an eye out for it, but in the meantime it seems like startups need to remember that security is paramount.

From around the web

ear iconeye icontext filevr