Disastrous.
Reverse, Reverse
Remember last week, when the alt-smartphone company Nothing — pause for the sigh — announced that it was releasing an app, dubbed Nothing Chats, that would allow its customers to send blue-bubbled iMessage sans iPhone? Well, forget about it. As Ars Technica reports, the messaging service didn't even make it a full 24 hours on Google Play before researchers discovered that the system was plagued with egregious privacy issues.
Sunbird, the platform on which Nothing Chats was built, promises to provide users with "end-to-end encryption" for their messages — a claim that was reiterated by Nothing on its since-updated landing page for the Chats feature.
"Nothing Chats is built on Sunbird's platform and all Chats messages are end-to-end encrypted," the Nothing webpage read, "meaning neither we nor Sunbird can access the messages you’re sending and receiving."
But as it turns out, the app was anything but encrypted, with tech-savvy researchers quickly finding that Nothing and Sunbird were storing users' messages and attachment links in plain text. This would make the text data easily accessible to folks at Nothing, Sunbird, and anyone else who could gain access.
"Nothing Chats app (skinned Sunbird) is an absolute privacy nightmare that sends/stores ALL data unencrypted on firebase," one such researcher, who goes by "wukko" on X-formerly-Twitter, wrote in an X post on Saturday, adding that "for whatever reason" the app also sends "ALL messages and attachments" to Sentry, the crash-reporting cloud platform.
Wukko's allegations were corroborated by researchers over at 9to5Google and Texts.com, who collectively concluded that Nothing and Sunbird were essentially storing user texts, images, and all other attachments — PDFs, videos, you name it — in broad daylight.
Thread time!
Summary:
- Sunbird has access to every message sent and received through the app on your device.- All of the documents (images, videos, audios, pdfs, vCards...) sent through Nothing Chat AND Sunbird are public.
- Nothing Chats is not end-to-end encrypted.
— Dylan Roussel (@evowizz) November 18, 2023
Bugging Out
Nothing has since walked back the beta Chats feature, with its updated Chats webpage now noting that due to "several bugs," the startup will be "delaying the launch until further notice."
Gotta say, though: to call a massive privacy issue that a company definitely should have known about before partnering with a service like Sunbird a "bug" is a massive understatement. And rest assured, when Nothing took that "bug" announcement over to X, the ensuing community notes were nothing short of brutal.
"Contrary to Nothing's claim about fixing 'bugs' in their upcoming app, these issues are serious security & privacy lapses," reads the top note. "Falsely advertised as end-to-end encrypted, exposes user data in plain text."
Anyway. If you used this app, or any other Sunbird-supported messaging service out there, you should be wary of what data of yours might be out there. In the meantime, we're sorry to say that the sad, sad drumbeat of the green bubble march plays on.
More on privacy: Researchers Just Found Something Terrifying about Talking to AI Chatbots
Share This Article