Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Security

Nothing's iMessage App Was a Security Catastrophe, Taken Down In 24 Hours (arstechnica.com) 47

Last week, Android smartphone manufacturer "Nothing" announced that it's bringing iMessage to its newest phone through a new "Nothing Chats" app powered by the messaging platform Sunbird. After launching Friday, the app was shut down within 24 hours and the Sunbird app, which Nothing Chat is a clone of, was put "on pause." The reason? It's a security nightmare. Ars Technica reports: The initial sales pitch for this app -- that it would log you into iMessage on Android if you handed over your Apple username and password -- was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as you could possibly be. Here's Nothing's statement: "We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users."

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. [...]

Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. [...] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far -- the launch of Nothing Chats required a systemic security failure across two entire companies.

This discussion has been archived. No new comments can be posted.

Nothing's iMessage App Was a Security Catastrophe, Taken Down In 24 Hours

Comments Filter:
  • by Brain-Fu ( 1274756 ) on Monday November 20, 2023 @08:15PM (#64020081) Homepage Journal

    Senior level developers are expensive. The market is full of greenies who don't realize how much there is to know about security. When interviewed by non-technicians who also don't have a clue, a simple question like "can you make it secure?" will get an honest but completely false answer of "yes."

    The other common reason is management imposing impossible deadlines and being deaf to the protests of their people who actually do now a thing or two about security, but are told to ignore it.

    There may also be unethical consultants involved, or cheap foreign development shops that don't have incentive to care.

    The only surprising thing about this story is how common it is.

    • by gweihir ( 88907 ) on Tuesday November 21, 2023 @04:20AM (#64020779)

      Indeed. So very much this. After CS studies with a security elective (everything on offer back when), it took me something like 5 years to begin to understand how much I did not know that I did not know and 10 additional years or so to fix that.

      A major part of any sane engineering education is to enable graduates to really understand the limits of their skills and insights and to know when they need additional skills or need to get an expert to do something. In CS/IT that is still mostly missing and even more so in IT security. Hence crap like this happens. If the ones that wrote this crap even have a degree that is.

  • News Flash (Score:5, Insightful)

    by WankerWeasel ( 875277 ) on Monday November 20, 2023 @08:16PM (#64020087)

    Who would have thought that a company that required you give them your username and password to another service so they could store it on their own servers and pass your messages through, wouldn't be the most secure spot around.

    • Who would have thought that a company that required you give them your username and password to another service

      How else could it work?

      If they're logging onto Apple servers on your behalf, they obviously need your login/pw.

      • I didn't suggest otherwise. I simply pointed out that the glaring security issue with their standard setup should have been a indicator for everyone that they may not value security that much.

      • Re:News Flash (Score:4, Insightful)

        by kqs ( 1038910 ) on Monday November 20, 2023 @09:25PM (#64020189)

        This is actually not "obviously" true. Many services have ways to authenticate with a service but then pass your authorization to a third party. Hell, I implemented OpenID around 20 years ago to let people authenticate to my web site using third-party credentials. The fact that Apple chooses not to do this means that the security issues are 50% due to Nothing (because what the fuck were they thinking?) and 50% Apple (because Apple talks about privacy and security, but doesn't act on those words if you ever dare to communicate with any of the non-Apple-purchasing heathens in the world). Apple could have implemented a secure way for third parties to use iMessage, but they care a lot about money and very little about privacy, so Apple just followed the dollars.

        This is why I don't give my dollars to Apple, but everyone should make their own choices.

        • That's a good example of the industry-wide problem with security. There is a lot to know about security, and most people don't know very much about it, and (worst of all) they don't know how much they don't know. So they think things like "well, obviously, this is the only way to do it" when in fact there are much more secure options out there.

          Its a field where everyone who knows anything about it tends to think they know a lot more about it than they do.

        • Re:News Flash (Score:5, Informative)

          by magzteel ( 5013587 ) on Monday November 20, 2023 @10:37PM (#64020351)

          This is actually not "obviously" true. Many services have ways to authenticate with a service but then pass your authorization to a third party. Hell, I implemented OpenID around 20 years ago to let people authenticate to my web site using third-party credentials. The fact that Apple chooses not to do this means that the security issues are 50% due to Nothing (because what the fuck were they thinking?) and 50% Apple (because Apple talks about privacy and security, but doesn't act on those words if you ever dare to communicate with any of the non-Apple-purchasing heathens in the world). Apple could have implemented a secure way for third parties to use iMessage, but they care a lot about money and very little about privacy, so Apple just followed the dollars.

          This is why I don't give my dollars to Apple, but everyone should make their own choices.

          Apple chooses not to do this because they don't want to open iMessage in this way. They are trying to hack their way in and you are blaming Apple for making them do it.

          Maybe you should just leave your keys in the ignition when you park your car. Never know, someone might want to use it.

          • Maybe you should just leave your keys in the ignition when you park your car. Never know, someone might want to use it.

            I do this. I use a car sharing service, and don't give money to companies who don't allow me to share cars.

        • by stooo ( 2202012 )

          >> the security issues are 50% due to Nothing and 50% Apple
          Nope.
          It is 100% responsibility of "Nothing" to choose the correct platform.

        • It is really, Apple most probably does oneway encryption, so even if their service was hacked, it would be very difficult to retrieve actual passwords. Now a third party vender is storing credentials which are not oneway encrypted, which is a major security flaw in any authentication system.

      • The question is not how to do it any other way, the question is why people are stupid enough to...

        What am I saying, people are stupid enough to give smart home appliance makers the keys to their house, then ask them nicely to be let into their own homes. Your honor, I withdraw my question.

      • It should be very very obvious that you would never ever give your Apple ID and password to anyone but apple. And definitely not to a company with a moronic name like this.
        • by namgge ( 777284 )
          Indeed, it's also a breach of Apple's conditions for the use of its iCloud services (section IV.A) and therefore could presumably result in termination of the account.
      • by flink ( 18449 )

        They could use some sort token flow like OAuth /w PKCE. You just provision the refresh and access tokens with the service provider and as long as the IDP never expires actively used refresh tokens, then it should work indefinitely as long as you use the service often enough to keep your tokens active. The user's credentials would never pass through the Sunbird servers in that scenario.

        Now I don't know if Apple offers 3rd party apps to obtain tokens /w scopes sufficient to send iMessages, but that is how I

  • by dgatwood ( 11270 ) on Monday November 20, 2023 @09:33PM (#64020215) Homepage Journal

    This story is much ado about Nothing. On the one hand, what they created was apparently designed in just about the most security-incompetent way possible. On the other hand, people have heard of them now, and I guess that's worth something. :-D

  • by Tony Isaac ( 1301187 ) on Monday November 20, 2023 @11:27PM (#64020413) Homepage

    This illustrates a total failure for X's branding. Every single time X is mentioned anywhere, it is followed by "formerly Twitter". Clearly, reporters are worried that no one will know what "X" is. And they're probably right, and I hope the rebrand--and the company--goes down in flames.

    • Using only one single letter as brand is stupid anyway. Unsearchable.
      • by gweihir ( 88907 )

        Using only one single letter as brand is stupid anyway. Unsearchable.

        You have to admit that Musk does "stupid" pretty well. Probably not an act either.

      • Don't worry, he also stupidly spent the money to buy the site x.com

        No single person except a nun types x into their address bar first and doesn't get a little nervous.

        • by Pascoea ( 968200 )
          xkcd.com is my first autocomplete suggestion when typing "x" into my address bar. Then Xen Orchestra, then x.com (Formally known as Twitter). What kinda pervy stuff are you looking at?
    • by mjwx ( 966435 )

      This illustrates a total failure for X's branding. Every single time X is mentioned anywhere, it is followed by "formerly Twitter". Clearly, reporters are worried that no one will know what "X" is. And they're probably right, and I hope the rebrand--and the company--goes down in flames.

      Hence it's become "the app formerly known as Twitter".

    • Here it is mostly called Xitter, a good name for ex-Twitter.

  • Remember when we could say "Well, it's better than nothing" and it basically meant that you at least have something?

    Can't really say that anymore. Just being better than Nothing means nothing anymore.

  • When will people learn? There need to be some C-level firings over this for gross incompetence.

  • Reminds me of "Essential" phone, a bit. Picking a reasonably big player is certainly no guarantee of avoiding problems, but the tradeoff of picking an outlier usually isn't worth it.
  • It is Nothing. Move along.
  • openauth works only on unsecure http. I repeat 3rd party sign on is unencrypted, because it can't be. like, google, apple, microsoft, they all fall back to unsecured http to do these 3rd party auths.... so most likely, you're doing this all the time, what's more, it's usually that ways anyways because that's the way it's done regardless yea, I had shocked pikachu face too, but that's the way it is

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...