Freedom Chat Patches Major PIN and Phone Number Security Flaws
Think your private messenger is bulletproof?
Security isn’t a feature you can market; it’s a continuous engineering discipline that only gets proven when it’s tested. Freedom Chat, a newcomer to the secure messaging space launched just this past June, recently learned this lesson the hard way. The app, which boasted on its website that users’ phone numbers remain private, has been forced to issue emergency patches after a security researcher exposed two glaring vulnerabilities that put user data at risk.
The flaws, discovered by security researcher Eric Daigle, highlight how quickly the promises of “privacy-first” apps can crumble under scrutiny. Daigle found that Freedom Chat’s infrastructure allowed for the enumeration of nearly 2,000 user phone numbers. By flooding the app’s servers with millions of guesses—a technique reminiscent of recent academic research into WhatsApp’s infrastructure—an attacker could effectively map out the user base, directly contradicting the app’s core privacy claim.
Even more damning was the exposure of user-set PINs. These four-digit codes, designed to lock down the app on a device, were being broadcast in plain text to anyone sharing the app’s default public channel. Daigle utilized open-source network traffic inspection tools to intercept these codes. This meant that a bad actor didn’t need to hack a device; they simply had to be listening to the right digital hallway to scoop up the keys to users’ accounts. In the wrong hands, a stolen phone and a known PIN are a complete breach of privacy.
The fallout was swift but reactive. Following TechCrunch’s alert—necessary because Freedom Chat lacks a public vulnerability disclosure program founder Tanner Haas confirmed that the app has patched the backend, reset all user PINs, and increased server rate-limiting to stop mass-guessing attacks. In a subsequent app store update, the company confirmed the breach but emphasized that messages themselves were never at risk, a small silver lining in an otherwise significant security event.
This incident serves as a stark reminder for users gravitating toward niche, “secure” alternatives to mainstream giants. While the promise of privacy is alluring, the reality is that security requires massive resources, rigorous auditing, and transparent channels for reporting bugs. Freedom Chat is following in the footsteps of apps like Converso, which was similarly delisted after security failures. For the user, the takeaway is clear: trust is earned through resilience, not marketing copy. Before downloading a new tool promising ironclad privacy, look for a mature bug bounty program and a proven track record of patching flaws before they make headlines. Your data is only as secure as the server it lives on.
No Comments