Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

REST: P: Linus Torvalds S: Buried alive in email -- from /usr/src/linux/MAINTAINERS

computers / misc.phone.mobile.iphone / Nothing kills iMessage bridge because it profoundly violated user privacy & security

SubjectAuthor
* Nothing kills iMessage bridge because it profoundly violated userJolly Roger
`- Re: Nothing kills iMessage bridge because it profoundly violated userAlan Browne

1
Nothing kills iMessage bridge because it profoundly violated user privacy & security

<krt18oF5hqoU1@mid.individual.net>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=10369&group=misc.phone.mobile.iphone#10369

  copy link   Newsgroups: misc.phone.mobile.iphone
Path: i2pn2.org!rocksolid2!news.neodome.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: jollyroger@pobox.com (Jolly Roger)
Newsgroups: misc.phone.mobile.iphone
Subject: Nothing kills iMessage bridge because it profoundly violated user
privacy & security
Date: 18 Nov 2023 23:56:08 GMT
Organization: People for the Ethical Treatment of Pirates
Lines: 82
Message-ID: <krt18oF5hqoU1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net wykSXtz/5CsFAAzqbUSEUQ5+y1bJLbALkGUWrMk5zFlo0dBQ4z
Cancel-Lock: sha1:M7GtSS/VJrQV03gpEjhiAF606Uo= sha256:RP1KahLHnHtn6U0hND1qbEDBnNr5b+hHXEnqrTSbKOE=
Mail-Copies-To: nobody
X-Face: _.g>n!a$f3/H3jA]>9pN55*5<`}Tud57>1<n@LQ!aZ7vLO_nWbK~@T'XIS0,oAJcU.qLM
dk/j8Udo?O"o9B9Jyx+ez2:B<nx(k3EdHnTvB]'eoVaR495,Rv~/vPa[e^JI+^h5Zk*i`Q;ezqDW<
ZFs6kmAJWZjOH\8[$$7jm,Ogw3C_%QM'|H6nygNGhhl+@}n30Nz(^vWo@h>Y%b|b-Y~()~\t,LZ3e
up1/bO{=-)
User-Agent: slrn/1.0.3 (Darwin)
 by: Jolly Roger - Sat, 18 Nov 2023 23:56 UTC

From the "Duh, anyone with common sense knew this" department:

Nothing kills iMessage bridge because it profoundly violated user
privacy & security

<https://appleinsider.com/articles/23/11/18/nothing-kills-imessage-bridge-because-it-profoundly-violated-user-privacy-security>
---
Nothing and Sunbird pulled the shockingly insecure iMessage bridge, but
only after it was discovered that not only did Sunbird log and retain
messages, vCards, and more, but that retained user data could also be
downloaded by others. Nothing Chats was pulled from the Google Play
Store on Saturday only a few days after it was introduced. Launched on
November 14, suspicions were raised about the app within days, including
its seeming *lack of encryption*, and the sending of login credentials
*over the internet using plaintext* HTTP.

On Saturday, things got worse for the Nothing and Sunbird service, with
more revelations over the astounding lack of security safeguards for the
app.

Early in the day, Nothing removed the app from the Google Play Store. In
a post on X, formerly Twitter, the phone maker somewhat optimistically
says it is "delaying the launch until further notice to work with
Sunbird to fix several bugs."

Before Nothing pulled the plug, Android app developer Dylan Roussel made
some discoveries about the app that demonstrated it as being extremely
insecure for its users. In a thread, Roussel declared that Sunbird had
"access to every message sent and received through the app on your
device," that all documents including images, videos, and vCards sent
through the app are publicly viewable, and that Nothing Chats doesn't
use end-to-end encryption at all.

Pushed forward by a claim by Sunbird that HTTP was fine for an initial
request, Roussel says that Sunbird has access since it abuses error
detection tool Sentry. Rather than using it to log errors, Sunbird
instead used Sentry to log the messages and pretending they were errors.

After trying and succeeding with texts, Roussel then tried sending other
forms of media, and found that they were sent to Firebase. He then
wondered if it was possible to see media posted by other users, and not
only managed to generate a list, but was able to access some elements.

<https://twitter.com/evowizz/status/1725872546396930082>

More than 637,000 media items were stored by Sunbird at the time of the
thread's posting. That collection included vCards, which the app
suggests to send to others at the start of a conversation so that the
user's Apple ID email address is merged with a phone number on the
contact's phone.

Roussel then proceeded to download one of the 2,300 or so vCards in the
archive, proving it was possible to get other users' phone numbers and
details.

Files were also stored with the original file names intact. Roussel said
this was an issue as it could include part of a URL, or confidential or
sensitive information, which has further security implications.

Finally, Roussel said the chats aren't end-to-end encrypted at all.
"After discovering that medias are shared publicly, this news comes with
the realization that Sunbird, and by extension, Nothing Chats is not
end-to-end, as advertised everywhere," the developer wrote.

As for what Nothing could do, at the time Roussel said the app should
get removed from the Play Store, and then to warn all users. Under
Europe's GDPR, rules, Sunbird has 72 hours from being notified of a
vulnerability to notify the victims.

"Nothing Chats was not developed by Nothing. But Nothing should have
verified that the app which uses their name is secured, before claiming
it is," Roussel comments on the matter. "This is probably the biggest
privacy nightmare' I've seen by a phone manufacturer in years."
---

Fucking OUCH... 🤣

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Re: Nothing kills iMessage bridge because it profoundly violated user privacy & security

<rMp6N.4658$DADd.888@fx38.iad>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=10389&group=misc.phone.mobile.iphone#10389

  copy link   Newsgroups: misc.phone.mobile.iphone
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx38.iad.POSTED!not-for-mail
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Nothing kills iMessage bridge because it profoundly violated user
privacy & security
Content-Language: en-US
Newsgroups: misc.phone.mobile.iphone
References: <krt18oF5hqoU1@mid.individual.net>
From: bitbucket@blackhole.com (Alan Browne)
In-Reply-To: <krt18oF5hqoU1@mid.individual.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 18
Message-ID: <rMp6N.4658$DADd.888@fx38.iad>
X-Complaints-To: abuse@usenetserver.com
NNTP-Posting-Date: Sun, 19 Nov 2023 15:24:07 UTC
Organization: UsenetServer - www.usenetserver.com
Date: Sun, 19 Nov 2023 10:24:07 -0500
X-Received-Bytes: 1243
 by: Alan Browne - Sun, 19 Nov 2023 15:24 UTC

On 2023-11-18 18:56, Jolly Roger wrote:
> From the "Duh, anyone with common sense knew this" department:
>
> Nothing kills iMessage bridge because it profoundly violated user
> privacy & security
>
> <https://appleinsider.com/articles/23/11/18/nothing-kills-imessage-bridge-because-it-profoundly-violated-user-privacy-security>
> ---
<S>
>
> Fucking OUCH... 🤣

To say the least.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor