Update 09/13/18: Since the publishing of this article, a number of developments have taken place:
- The author of the post has chosen to reveal their identity. Known online as “Chancity,” he is the creator of the Kin Blockchain Explorer and a developer on the KinTipBot team.
- Blastchat founder Jhamar Youngblood has acknowledged the incident and posted an additional update to Medium detailing his plans to secure the application, after permanently wiping all previously stored data.
- The Kin Foundation has acknowledged the incident and stated that they will now be reviewing the security of all apps under the Kin Developer Program prior to approval after ‘demo day’ on October 2nd.
NuFi has recently received multiple anonymous tips regarding a security vulnerability in the mobile app ‘Blastchat.’ The following is a responsible disclosure warning. NuFi has chosen not to reveal the author of the post, but has independently verified their claims.
Blastchat, a mobile chat app and recently announced participant in the Kin Developer Program, has been:
- Storing passwords in plain text.
- Storing emails, phone numbers and passwords in plain text associated with a username.
- Not encrypting communication between devices and their servers.
As a result, anyone running a packet-monitoring firewall on their network, or any third-party who decided to packet sniff the app, could look at the app’s “Leaderboard,” and in turn, collect the username, password, email and phone number of all users in plain text.
Additionally, this means that the creators of Blastchat also had access to all usernames, passwords and emails in plain text.
The vulnerability was first reported to Blastchat a few days ago, and has likely been present since the app’s initial release.
As of the publish date of this article, September 12th, 2018, Blastchat has not alerted users to this issue and the potential risk of breach, nor emailed them encouraging them to change their passwords. Instead, the Blastchat team has taken their app offline, citing their Kin integration work as the only reason for doing so.
Knowing that the servers are now offline, and in consideration of the Blastchat team’s decision to forego alerting its own users, we have chosen to disclose this vulnerability. It is unclear if this information was ever accessed by malicious parties or not, but users should take precautions.
- Change their password on any website that they used the same password for Blastchat (remember to try and use unique passwords).
- Consider changing their email address on any website related to cryptocurrency. Third-parties may now have your email address and phone number, which are often the only things required to do social engineering attacks to gain entry to 2FA authenticated accounts.
- If you don’t currently use 2-Factor Authentication (2FA), consider setting it up wherever possible. Use on-device 2FA like Google Authenticator rather than SMS-based 2FA, as the SMS method is more vulnerable.
Users should not:
- Update to a secure password in Blastchat as soon as the servers go back online. Users should await further updates and independent verification that the vulnerabilities are resolved.
This vulnerability should serve as a reminder of the importance of user data security and privacy in the modern world. Recent data breaches have cost even high-profile companies billions of dollars in liability, annually.
Participants in the Kin Developer Program, many of whom are building applications from scratch, will face the additional challenge of securing users’ cryptocurrency wallets. The security of user data is critical when merging the consumer app experience with decentralized currency, which can not be recovered if stolen.
The NuFi team hopes Blastchat can resolve these issues and disclose them to users. At such a time, NuFi is committed to updating the article to let users know there is no longer any jeopardy.
NuFi.io is an independent publisher aimed at providing quality journalism in the cryptocurrency space. NuFi is not associated with, paid by, or employed by any cryptocurrency project. We rely on subscriptions from readers like you!
To help keep NuFi.io ad-free and creating quality content consider:
- Subscribing on Patreon for only $2.99/month
- Donate ETH, Kin or ERC20 tokens to our address.
- Or donate most cryptocurrencies via CoinPayments using the following button: