The popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security flaw has proven that the app is not safe or encrypted after a huge cache of unencrypted private messages from users was found online.
The messaging app is widely used in Asia and has a growing international audience with 20 million users worldwide. Google Play Lists JusTalk Kidsbilled as its kid-friendly and compatible version of its messaging app, with over 1 million Android downloads.
JusTalk says both apps are end-to-end encrypted — where only the people in the conversation can read the messages — and boasts on its website that “only you and the person you’re communicating with can see, read, or listen to them: not even the JusTalk team can access your data!”
But an overview of the massive cache of internal data seen by sure naira proves those claims untrue. The data includes millions of JusTalk user messages, along with the exact date and time they were sent and the phone numbers of both the sender and recipient. The data also includes records of calls made through the app.
Security Investigator Anurag Sen found the data this week and asked sure naira for help reporting to the company. Juphoon, the China-based cloud company behind the messaging app, said it launched the service in 2016 and is now owned and operated by Ningbo Jus, a company that seems part the same office as listed on the Juphoon website. But despite multiple attempts to reach JusTalk founder Leo Lv and other executives, our emails were not acknowledged or returned, and the company made no attempt to fix the leak. A text to Lv’s phone was marked as delivered but not read.
Because every message in the data contained every phone number in the same chat, it was possible to follow entire conversations, including children who used the JusTalk Kids app to chat with their parents.
The internal data also includes the detailed locations of thousands of users collected on users’ phones, with large clusters of users in the United States, United Kingdom, India, Saudi Arabia, Thailand and mainland China.
According to Sen, the data also includes records from a third-party app, JusTalk 2nd phone number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private mobile phone number. A review of some of these records reveals both the user’s cell phone number and any ephemeral phone number they generated.
We are not disclosing where or how the data is available, but are advocating disclosure after finding evidence that Sen was not alone in discovering the data.
This is the latest in a wave of data breaches in China. Earlier this month, a massive database of some 1 billion Chinese residents was siphoned off from a Shanghai Police Department database stored in Alibaba’s cloud and portions of the data were published online. Beijing has not yet publicly commented on the leak, but references to the social media breach have been widely censored.