Popular video calling and messaging app JusTalk claims to be both secure and encrypted. However, the security bug proved the app was insecure and unencrypted after a huge cache of users’ private, unencrypted messages was found online.
The messaging app is widely used across Asia and has an explosive international audience of 20 million users globally. Google Play List JusTalk Kidsadvertised as a kid-friendly and compatible version of the messaging app, as it has over 1 million Android downloads.
JusTalk says both of its apps are end-to-end encrypted – where only the people in the conversation can read their messages – and boasts on its website that “only you and the person you communicate with”. can view, read or listen to them: JusTalk group will not access your data! “
But a review of the massive cache of internal data, viewed by TechCrunch, proves those claims to be untrue. The data includes millions of messages from JusTalk users, along with the exact date and time they were sent and the phone numbers of both the sender and recipient. The data also contains records of calls made using the application.
Security researcher Anurag Sen found the data this week and asked TechCrunch for help in reporting it to the company. Juphoon, the China-based cloud computing company behind the messaging app, said it expanded the service in 2016 and is now owned and operated by Ningbo Jus, a company apparently repost same office as listed on Juphoon website. But despite numerous attempts to contact JusTalk founder, Leo Lv and other executives, our emails were not recorded or returned and the company showed no effort to remedy the problem. try to spread. A text message to Lv’s phone is marked as sent but not read.
Since each message recorded in the data contains every phone number in the same conversation, it is possible to track the entire conversation, including from children who are using the JusTalk Kids app to chat with their parents.
Internal data also includes detailed location of thousands of users collected from users’ phones, with multiple user groups in the US, UK, India, Saudi Arabia, Thailand and mainland China.
According to Sen, the data also contains logs from a third-party application, JusTalk’s 2nd phone number, which allows users to create a temporary, virtual phone number to use instead of providing their private cell phone number. A review of some of these records reveals both the user’s cell phone number as well as any temporary phone numbers they generate.
We do not disclose where or how the data was obtained, but we are considering making it public after we found evidence that Sen was not alone in discovering the data. .
This is the latest in a series of data spills in China. In the first day of this month A huge database of about 1 billion Chinese residents has been purged from the Shanghai police database hosted on Alibaba’s cloud, and part of the data has been published online. Beijing has yet to comment publicly on the leak, but references to the breach on social media have been reported. widely censored.
