Freedom Chat’s Security Breach: User Data Exposed
Freedom Chat, a messaging application launched in June 2025, has recently addressed significant security vulnerabilities that compromised user data. Despite its claims of providing a secure communication platform where users’ phone numbers remain confidential, the app was found to have flaws that exposed sensitive information.
Discovery of Vulnerabilities
Security researcher Eric Daigle identified two primary issues within Freedom Chat:
1. Phone Number Enumeration: The app’s servers permitted an unlimited number of phone number guesses, enabling attackers to determine registered users’ phone numbers.
2. PIN Code Exposure: User-set PINs, intended to secure the app, were inadvertently broadcast to other users within the same public channel.
Daigle’s findings revealed that approximately 2,000 users’ phone numbers could be enumerated due to the app’s lack of rate-limiting mechanisms. This technique mirrors a method described by the University of Vienna, where researchers matched billions of phone numbers against WhatsApp’s servers to scrape data on 3.5 billion user accounts.
Technical Analysis
By utilizing network traffic inspection tools, Daigle observed that Freedom Chat’s system responses included the PIN codes of all users within a public channel. This flaw meant that any participant in the default channel, which users join upon registration, could access others’ PINs. Such exposure could allow unauthorized access to the app, especially if a user’s device was lost or stolen.
Company Response
Upon being informed of these vulnerabilities, Freedom Chat’s founder, Tanner Haas, confirmed that the company had taken corrective actions:
– PIN Reset: All user PINs were reset to mitigate potential unauthorized access.
– Software Update: A new version of the app was released to address the identified issues.
– Enhanced Security Measures: The company increased rate-limiting on its servers to prevent mass-guessing attempts and is working to eliminate instances where users’ phone numbers were visible.
In an app store update, Freedom Chat stated:
A critical reset: A recent backend update inadvertently exposed user PINs in a system response. No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority.
Background on Freedom Chat
Freedom Chat is the second messaging application developed by Tanner Haas, following Converso. Converso was previously delisted from app stores after security flaws were discovered that exposed users’ private messages and content.
Implications for Users
This incident underscores the importance of robust security measures in messaging applications. Users entrust these platforms with sensitive information, and any breach can have significant privacy implications. It also highlights the necessity for companies to implement comprehensive vulnerability disclosure programs, allowing researchers to report issues promptly and securely.
Conclusion
While Freedom Chat has taken steps to rectify the identified vulnerabilities, this event serves as a reminder of the continuous need for vigilance in app security. Users are encouraged to update their applications regularly and remain informed about potential security issues to protect their personal information.
