Kik’s Crypto Project Blastchat Messager App Reveals Users’ Sensitive Data without Any Encryption
Messaging App Blastchat Caught Storing Sensitive User Information In Plain Text
There have been talks that the messaging app Blastchat which was selected for Kik’s $3 million cryptocurrency developer program has been recently caught storing sensitive user data, including passwords, in plain text.
Blastchat started to get traction following its addition to the Kin Developer Program, an incubator-style startup ecosystem created by instant messaging giant Kik. The program is intended to source the best in new cryptocurrency projects by putting $3 million in incentives up for grabs.
Blastchat did not use any encryption for communicating between devices and servers. This means that all passwords, emails, phone numbers, and usernames were practically visible to the creators of Blastchat. The flaw was discovered by independent outlet NuFi. Blastchat has since confirmed the issue, and quietly taken down its apps from both the App Store and Google Play.
When Asked About The Vulnerability, A Spokesperson Confirmed The Story. He Explained:
“Each application for the Kin Developer Program was carefully reviewed by a selection committee comprised of four team members and a technical advisor. The committee scored each application based on a number of criteria, including the quality of the product’s use case, the quality of the team, and the likelihood that each development team would meet the program’s predetermined milestones.
Participants in the program won’t present their Kin integrations until October 2. Following this, the developers will be responsible for submitting their apps – with the Kin integration – to Google Play and the App Store. At this point, we have not seen any integrations, and the security breach is unrelated to Kin or the Kin Developer Program. Security will be one component that will be evaluated during demo day, and we'll be looking into this when Blastchat’s Kin integration is presented.”
It remains unclear until now how many users were stirred by this development. The spokesperson continued: “Blastchat was never live with Kin in it. We’ll be evaluating the security of all apps in the program before they submit the new versions with Kin integrations after the demo day.”
However, the Developer Program apps presented on demo day must be integrated with the Kin cryptocurrency. The extra burden of protecting live money, now that Kin knows how haphazard Kin Developer Program implementations can be, has been enough to warrant the auditing of code before submission.
To clarify this, the official statement said: “We went and terminated our AWS Cloud instance. This removed all of [our] data, so on launch day, we will be starting with zero users. We will have an update early next week after we figure out what happened.”
What Should Users Do?
Nufi, the independent firm that discovered the vulnerability recommended some guidelines for the early adopter of the messaging app.
- Change their password on any website that they used the same password for Blastchat (remember to try and use unique passwords).
- Consider changing their email address on any website related to cryptocurrency. Third-parties may now have your email address and phone number, which are often the only things required to do social engineering attacks to gain entry to 2FA authenticated accounts.
- If you don’t currently use 2-Factor Authentication (2FA), consider setting it up wherever possible. Use on-device 2FA like Google Authenticator rather than SMS-based 2FA, as the SMS method is more vulnerable.
They further recommended that users should not update to a secure password in Blastchat as soon as the servers go back online. Users should await further updates and independent verification that the vulnerabilities are resolved.