A Chinese chatting and photo sharing application with over 10 million users exposed chats and private photos. Read on to know more about it…
Sweet Chat, an Android based chatting and photo sharing application with over 10 million users, has been exposing its users chat content, and photos on an unsecured server. Sweet Chat is a Tinder-like Android chatting application. It had risen up to the top 10 social apps in Latin America, the Middle East, and some other regions.
An analysis of the Sweet Chat service has identified several poor design, and security practices used in the development of the application. The security researcher Darryl Burke discovered the Chinese app Sweet Chat exposing the personal data of the users. Burke noted that anyone with MQTT related tools could view real-time chats and private photos of all the online Sweet Chat users.
Sweet Chat uses the MQTT messaging protocol for the standard publish/subscribe features in the app. A flawed implementation of the MQTT protocol can lead to exposure of private data. By using common MQTT related tools anyone can view real-time, the chats and private photos of all online Sweet Chat users. Several MQTT vendors are known to have issues with insecure use / installation. Review of the exposed data, has made it evident that there is extensive “Bot” traffic being generated, and that it was used to lure users into spending credits (purchased under paid monthly subscriptions) or to send various gift cards for financial gain.
In his blog, Darryl Burke wrote “During a routine scan and data profiling of unsecured MQTT servers, I came across a beta server which was allowing unsecured subscriptions to various wildcard topics”
Burke added “During the initial analysis it became clear that the rate, and the repeatability of the data exposed was indicative of a beta system, however, it did identify that a full investigation of a potential production system was warranted. As with most applications which use an Android client, the best place to start was with an install, decompilation, and analysis of the production software.”
Further analysis of the exposed data revealed a significant amount of bot traffic generated on the app. The researcher suggests it was used to lure users into spending credits or to send various gift cards for financial gain. The unsecured server remained accessible even after the researcher notified the company behind the app.
On July 21, 2019, Burke notified the company behind the app regarding the unsecured server. However, by August 9, the server still remained unsecured. On August 12, 2019, the researcher noticed that the exposed server was secured with a temporary fix. However, the researcher suggested the company required major design changes to fix all the issues.