It appears that messaging app Blastchat – which was recently selected for Kik’s $3 million cryptocurrency developer program – has been caught storing sensitive user data, including passwords, in plain text.
Blastchat gained recognition following its inclusion the Kin Developer Program, an incubator-style startup ecosystem created by instant messaging giant Kik. The program is designed to source the best in new cryptocurrency projects by putting $3 million in incentives up for grabs.
Despite earning a spot in Kik’s developer program, Blastchat reportedly did not use any encryption for communicating between devices and (centralized) servers. This means that all passwords, emails, phone numbers, and usernames were practically visible to the creators of Blastchat.
The jarring vulnerability was first surfaced by independent outlet NuFi. Blastchat has since confirmed the issue, and quietly taken down its apps from both the App Store and Google Play.
Despite initially downplaying the authenticity of the report, a Kin spokesperson confirmed to Hard Fork that the breach is indeed authentic.
Pressed about how this flaw slipped through the Kin team, the spokesperson explained the company has a selection committee that audits the code of each applicant. Presumably, Blastchat went through the same process:
Each application for the Kin Developer Program was carefully reviewed by a selection committee comprised of four team members and a technical advisor. The committee scored each application based on a number of criteria, including the quality of the product’s use case, the quality of the team, and the likelihood that each development team would meet the program’s predetermined milestones.
Participants in the program won’t present their Kin integrations until October 2. Following this, the developers will be responsible for submitting their apps – with the Kin integration – to Google Play and the App Store. At this point, we have not seen any integrations, and the security breach is unrelated to Kin or the Kin Developer Program. Security will be one component that will be evaluated during demo day, and we’lll be looking into this when Blastchat’s Kin integration is presented.
It remains unclear how many users were affected, but Kik claims Blastchat never rolled out its Kin integration. “Blastchat was never live with Kin in it,” Kin told Hard Fork. “We’ll be evaluating the security of all apps in the program before they submit the new versions with Kin integrations after the demo day.”
It should be noted that Developer Program apps submitted on demo day must be integrated with the Kin cryptocurrency. The additional pressure of protecting live money, now that Kin knows how haphazard Kin Developer Program implementations can be, has been enough to warrant the auditing of code before submission.
The whole ordeal has led to an unfortunate situation for Blastchat devs. In a tweet to Hard Fork, Blastchat described what happened after the discovery of its poor practices.
“We went and terminated our AWS Cloud instance. This removed all of [our] data, so on launch day, we will be starting with zero users,” an official account wrote. “We will have an update early next week, after we figure out what happened.”
It can’t be understated just how ludicrously negligent security practices like these actually are. The dangers of storing sensitive data in plain text files are not only widely documented, the repercussions have played out repeatedly.
If you are an early adopter of the Blastchat app, its probably best to read up on what to do, now that your account credentials have been compromised.
If anything, this is a cautionary tale for us all: partnerships are not endorsements, and if you dabble with new cryptocurrency platforms, use throwaway credentials that you don’t use anywhere else.
And for every other service on the internet: stop storing account information as plain text!
Published September 13, 2018 — 15:51 UTC