Nothing kills iMessage bridge because it profoundly violated user privacy & security

Posted:
in General Discussion

Nothing and Sunbird pulled the shockingly insecure iMessage bridge, but only after it was discovered that not only did Sunbird log and retain messages, vCards, and more, but that retained user data could also be downloaded by others.

Nothing Chats
Nothing Chats



Nothing Chats was pulled from the Google Play Store on Saturday only a few days after it was introduced. Launched on November 14, suspicions were raised about the app within days, including its seeming lack of encryption, and the sending of login credentials over the internet using plaintext HTTP.

On Saturday, things got worse for the Nothing and Sunbird service, with more revelations over the astounding lack of security safeguards for the app.

Early in the day, Nothing removed the app from the Google Play Store. In a post on X, formerly Twitter, the phone maker somewhat optimistically says it is "delaying the launch until further notice to work with Sunbird to fix several bugs."

Before Nothing pulled the plug, Android app developer Dylan Roussel made some discoveries about the app that demonstrated it as being extremely insecure for its users. In a thread, Roussel declared that Sunbird had "access to every message sent and received through the app on your device," that all documents including images, videos, and vCards sent through the app are publicly viewable, and that Nothing Chats doesn't use end-to-end encryption at all.

Pushed forward by a claim by Sunbird that HTTP was fine for an initial request, Roussel says that Sunbird has access since it abuses error detection tool Sentry. Rather than using it to log errors, Sunbird instead used Sentry to log the messages and pretending they were errors.

After trying and succeeding with texts, Roussel then tried sending other forms of media, and found that they were sent to Firebase. He then wondered if it was possible to see media posted by other users, and not only managed to generate a list, but was able to access some elements.

Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.

But Sunbird logs messages, pretending they are errors.

Here are part of the requests (img 1, 3) and their entire "message" (img 2, 4) pic.twitter.com/pzwwQVWfOb

-- Dylan Roussel (@evowizz)



More than 637,000 media items were stored by Sunbird at the time of the thread's posting. That collection included vCards, which the app suggests to send to others at the start of a conversation so that the user's Apple ID email address is merged with a phone number on the contact's phone.

Roussel then proceeded to download one of the 2,300 or so vCards in the archive, proving it was possible to get other users' phone numbers and details.

Files were also stored with the original file names intact. Roussel said this was an issue as it could include part of a URL, or confidential or sensitive information, which has further security implications.

Finally, Roussel said the chats aren't end-to-end encrypted at all. "After discovering that medias are shared publicly, this news comes with the realization that Sunbird, and by extension, Nothing Chats is not end-to-end, as advertised everywhere," the developer wrote.

As for what Nothing could do, at the time Roussel said the app should get removed from the Play Store, and then to warn all users. Under Europe's GDPR, rules, Sunbird has 72 hours from being notified of a vulnerability to notify the victims.

"Nothing Chats was not developed by Nothing. But Nothing should have verified that the app which uses their name is secured, before claiming it is," Roussel comments on the matter. "This is probably the biggest privacy nightmare' I've seen by a phone manufacturer in years."



Read on AppleInsider

FileMakerFeller
«1

Comments

  • Reply 1 of 22
    XedXed Posts: 2,823member
    LOL The fact that it took this long to come to this conclusion is good enough reason for me to expect great things from Nothing.
    napoleon_phoneapartcaladanianwilliamlondondamn_its_hotgeekmeewatto_cobramagman1979
  • Reply 2 of 22
    chasmchasm Posts: 3,525member
    With any luck, Sunbird will be forced out of business by victim legal actions.

    I re-christen Nothing as Know-Nothing, as they are clearly incompetent at vetting the apps they rely on.

    You could not pay me enough to even LOOK at the Nothing Phone (or Android generally, this app was passed by Google's Play Store) much less use one.

    I often think we Apple users take the amount of security and privacy we get for granted, but there's a lot of hard work being done to build and secure that infrastructure.

    Know Nothing Phone was the world Google would prefer we live in. Pity the Android user.
    napoleon_phoneapartAnilu_777caladanianjas99williamlondondamn_its_hotgeekmeeAlex1Nwatto_cobraradarthekat
  • Reply 3 of 22
    Wow. Nothing's incompetence exposed Sunbird's maliciousness. 

    This is plain evil in this day and age. 

    You can really only figure that your iMessage is encrypted when communicating with another iPhone anyway. But now that users are allowing apps. to read. the messages, that all goes out the door. Apple looking to use universal encryption for RCS is just as dangerous and Apple should really. undertake that task themselves. It becomes a bit of a snowball issue though. because they then have to keep up with the Android problems.  sheesh.
    XedAnilu_777chasmgeekmeeAlex1NJaiOh81watto_cobramagman1979FileMakerFeller
  • Reply 4 of 22
    XedXed Posts: 2,823member
    Wow. Nothing's incompetence exposed Sunbird's maliciousness. 
    That's an excellent and succinct way to put it.
    Anilu_777chasmgeekmeeAlex1Nwatto_cobraradarthekatmagman1979FileMakerFeller
  • Reply 5 of 22
    jingojingo Posts: 118member
    This either proves that doing this stuff right isn’t easy, or that doing it wrong is. Either way it’s a very good reason to stay with Apple.
    Anilu_777caladanianjas99williamlondongeekmeeAlex1NJaiOh81watto_cobraradarthekatmagman1979
  • Reply 6 of 22
    chasmchasm Posts: 3,525member
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    And why would Nothing trust Sunbird to “fix” this, when it’s very very obvious they did this deliberately to capture credentials and content from users?

    I predict lawyers will have a field day with this one.
    williamlondonAlex1Nwatto_cobramagman1979lotonesFileMakerFeller
  • Reply 7 of 22
    eriamjheriamjh Posts: 1,733member
    So everyone who used this app and a Nothing phone has had all of their iMessage credentials stolen, right?   
    Alex1Nradarthekatmagman1979FileMakerFellerwatto_cobra
  • Reply 8 of 22
    gatorguygatorguy Posts: 24,604member
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    edited November 2023 HonkersITGUYINSDdamn_its_hotFileMakerFeller
  • Reply 9 of 22
    y2any2an Posts: 213member
    Dumb and stupid by Sunbird and Nothing, yes. Dumber and more stupid is anyone who gives their credentials to a third party app or web site. Think Venmo and any other app/site that throws up a request to log in, regardless of how legitimate the page looks. That page is usually running within the context of the app/site so who can ever know what’s being done with your credentials? If it’s not a native browser secure session directly to the service, just say no. 
    FileMakerFellerwatto_cobra
  • Reply 10 of 22
    y2an said:
    Dumb and stupid by Sunbird and Nothing, yes. Dumber and more stupid is anyone who gives their credentials to a third party app or web site. Think Venmo and any other app/site that throws up a request to log in, regardless of how legitimate the page looks. That page is usually running within the context of the app/site so who can ever know what’s being done with your credentials? If it’s not a native browser secure session directly to the service, just say no. 
    I could not agree more - I grew up as an adult hearing the “Just Say No” aimed @ all of us living in a world where everyone was self medicating. All the humor on the late nights was about how funny it was to get Quazy and trip over your privates. I think applying the “Just Say No” line to this makes so much sense.
    FileMakerFellerwatto_cobra
  • Reply 11 of 22
    What the f**k was supposed to be the reason for this so called bridge?
    Remiindes me a fine album titled “Bridge Of Sighs”….
    watto_cobra
  • Reply 12 of 22
    XedXed Posts: 2,823member
    What the f**k was supposed to be the reason for this so called bridge?
    Remiindes me a fine album titled “Bridge Of Sighs”….
    So that Nothing phones, which are Android-based, could connect to Apple's iMessages.
    Honkerswilliamlondonradarthekatwatto_cobra
  • Reply 13 of 22
    gatorguy said:
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    Gee, 23,000 posts. I wonder if he could be an agitator?
    Can you say? Arab Spring 
    radarthekatmagman1979williamlondonwatto_cobra
  • Reply 14 of 22
    gatorguygatorguy Posts: 24,604member
    geekmee said:
    gatorguy said:
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    Gee, 23,000 posts. 
    When I joined AI around 13 years ago the forum was a lot more lively, hundreds of new posts every day from dozens of different members. There was a lot to talk about. You're one of the old guys and remember how it was, not for the meek, thin-skinned, or ill-informed. :)

    I've slowed down visits in the last 2-3 as have a lot of the old members. There are fewer articles posted, the ones we have are less divisive, and members are less interested in commenting on them. The pieces I want to involve myself in are few and far between any more, but occasionally a subject comes up where commenters are confused or unaware, and my interest is piqued. This happens to one of those.

    So yeah, I may have slowed down the number of posts in recent years a LOT, but there are still ones I enjoy participating in.
    edited November 2023 muthuk_vanalingamFileMakerFeller
  • Reply 15 of 22
    radarthekatradarthekat Posts: 3,898moderator
    gatorguy said:
    geekmee said:
    gatorguy said:
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    Gee, 23,000 posts. 
    When I joined AI around 13 years ago the forum was a lot more lively, hundreds of new posts every day from dozens of different members. There was a lot to talk about. You're one of the old guys and remember how it was, not for the meek, thin-skinned, or ill-informed. :)

    I've slowed down visits in the last 2-3 as have a lot of the old members. There are fewer articles posted, the ones we have are less divisive, and members are less interested in commenting on them. The pieces I want to involve myself in are few and far between any more, but occasionally a subject comes up where commenters are confused or unaware, and my interest is piqued. This happens to one of those.

    So yeah, I may have slowed down the number of posts in recent years a LOT, but there are still ones I enjoy participating in.
    I don't have nearly the number of posts as you, but I agree with your statements.  There was a lot more to argue about back in the Apple is Doomed days; funny how success quells antagonism.  Many here have not welcomed many of your counter-argument posts over the years, but it's clear you've presented a valuable counter to the sometimes too fervent Apple fanaticism.  You've held your own well through those nearly 24k comments.  
    muthuk_vanalingamwilliamlondonFileMakerFellerroundaboutnowAlex1N
  • Reply 16 of 22
    gatorguy said:
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    As usual, you always come out like a New York cockroach from the shadows to defend Google and their deceitful ilk, and bash Apple, never fails...
    williamlondonwatto_cobra
  • Reply 17 of 22
    gatorguygatorguy Posts: 24,604member
    gatorguy said:
    chasm said:
    And just to re-emphasize this point: how could such an app get onto the Google Play Store in the first place? Do they have NO app review process over there?

    Happens to the best of us.
     https://www.intego.com/mac-security-blog/after-backlash-apple-removes-fake-threads-app-unethical-loan-apps-from-app-store/

    Don't let your toenails scratch your tongue. I've heard it really hurts ;)
    As usual, you always come out like a New York cockroach from the shadows to defend Google and their deceitful ilk, and bash Apple, never fails...
    I guess following the discussion wasn't to your liking?
    edited November 2023 muthuk_vanalingamFileMakerFeller
  • Reply 18 of 22
    Moral qualms aside, the idea to log all messages as errors through Sentry is a clever hack. Not sure how that can be closed off.
    watto_cobraAlex1N
  • Reply 19 of 22
    What could nothing do? Nothing.
    watto_cobraAlex1N9secondkox2
  • Reply 20 of 22
    Well, like they say, you can't get something from Nothing.
    watto_cobraAlex1N9secondkox2
Sign In or Register to comment.