Security researchers have reported that the messaging app Freedom Chat recently contained two serious security flaws. These vulnerabilities made it possible for attackers to expose users’ phone numbers and PIN codes, raising concerns about how safely personal data was being handled.
Researchers uncover major flaws:
Security researcher Eric Daigle revealed that Freedom Chat suffered from a server misconfiguration similar to one previously seen with WhatsApp. In that case, phone numbers belonging to 3.5 billion users were exposed.
Freedom Chat’s servers reportedly allowed anyone to repeatedly guess phone numbers without limitation. By doing so, it was possible to check whether a specific number was linked to an active account, creating a clear risk for user privacy.
PIN codes exposed through app traffic:
The second vulnerability was even more concerning, as it involved leaking users’ PIN codes. Daigle explained that he used an open source network traffic inspection tool to examine how data moved through the app. During this process, he discovered that the app responded with the PIN code of every user within the same public channel, even though those PINs were not visible inside the app itself.
According to Daigle, anyone subscribed to Freedom Chat’s default channel had their PIN code broadcast to all other users in that channel. Since every new user is automatically subscribed upon signing up, this created a widespread risk. If someone gained access to a user’s device, unlocking the app could be done easily.
The risks did not stop there. Many people reuse the same PIN across different services. If that were the case, exposed PINs could potentially be used to access other apps and tools, including credit cards, crypto wallets, and social media accounts.
Limited user base reduces wider impact:
Unlike WhatsApp, which has billions of users, Freedom Chat is a newly released app with a much smaller audience. At the time of discovery, the app reportedly had around 2,000 users, limiting the overall scale of the issue.
Daigle attempted to alert Freedom Chat about the problems but found there was no official method for reporting security bugs. As a result, he was unable to contact the company directly. TechCrunch later managed to reach founder Tanner Haas, who confirmed that a new version of the app had been released and that all user PINs were reset.
Company response and reassurance:
Freedom Chat addressed the issue publicly through an update on its app store page, stating:
“A critical reset: A recent backend update inadvertently exposed user PINs in a system response,”
The company also reassured users about the safety of their conversations, adding:
“No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority.”
With the update now released and PINs reset, the company says the vulnerabilities have been addressed, though the incident highlights the importance of strong security practices, especially for new messaging platforms.
ALSO READ: Google Photos Introduces A Simple Way To Reclaim Storage Space
