Puffchat—a competitor with popular app Snapchat—has a few security flaws, say reports this week.
User Thomas Hedderick found that the app, which claims to send messages that then disappear like Snapchat does, saves deleted messages and makes allegedly deleted photos accessible via the web.
He also found that searching for anyone via the app can give them their username, birth date, and e-mail.
Hedderick wrote in a blog post: “You can clearly see the server knows the message has been read and yet it remains; it’s downloaded to your phone every time you make a request for your messages, the client just doesn’t show it to you… and yes, that includes the nude dickpics you’ve been sending to that account. To top is all off, you can visit the pictures publicly and see via their site – nice! This is an incredible breach of privacy, and a blatant lie to their customers. It’s ‘secure’ but no SSL, it’s ‘secure’ but I can control your account remotely, it’s ‘secure’ but I can see your junk on the web by visiting a public page. Proof? Here you go.”
Hedderick said he tried contacting Puffchat’s founder, but according to TUAW.com, he got no response.
But earlier this week, founder Michael Suppo told him on Twitter that Hedderick needs to remove any mentions of the app’s security issues or he will take legal action, the website reported.
In a blog post, Suppo wrote: “Last week, a security researcher posted information about our API. Unfortunately, the information was not emailed to any of our Puffchat administration accounts and was therefore not responsibly disclosed over the internet.”
He added, “Over the next few days we will be implementing more safeguards to make improvements to combat spam and abuse.”