JusTalk messaging app dumps millions of unencrypted messages
Popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security breach proved the app was neither secure nor encrypted after a huge cache of users' unencrypted private messages was discovered online.
The messaging app is widely used across Asia and has a growing international following with 20 million users worldwide. Google Play lists JusTalk Kids, billed as its child-friendly and compatible version of its messaging app, as having over a million Android downloads.
JusTalk says both of its apps are end-to-end encrypted - where only people in the conversation can read its messages - and boasts on its website that "only you and the person you're communicating with can see, read or listen to them: not even the JusTalk team will access your data!"
But an examination of the huge internal data cache, seen by TechCrunch, proves that these claims are not true. The data includes millions of messages from JusTalk users, along with the exact date and time they were sent and the phone numbers of the sender and recipient. The data also contained records of calls made using the app.
JusTalk website that claims nd use end-to-end encryption, but a reverse user data cache shows otherwise. Image: TechCrunch (screenshot)
Security researcher Anurag Sen found the data this week and asked TechCrunch for help reporting it to the company. Juphoon, the China-based cloud company behind the messaging app, said it created the service in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same desktop than the one listed on the Juphoon website. But despite multiple efforts to reach JusTalk founder Leo Lv and other executives, our emails were not acknowledged or returned, and the company showed no attempt to address the spill. A text message sent to Lv's phone was marked as delivered but not read.
Because every message saved in the data contained every phone number in the same chat, it was possible to track entire conversations, including children using the JusTalk Kids app to chat with their parents.
>Internal data also included the precise locations of thousands of users collected from users' phones, with large user groups in the US, UK, India, Saudi Arabia, Thailand and mainland China.
According to Sen, the data also contained records of a third app, JusTalk 2nd Phone Number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private cell phone number. An examination of some of these records reveals both the user's cell phone number as well as any ephemeral phone numbers they generated.
We do not disclose where or how the data may be obtained, but we are leaning towards public disclosure after finding evidence that Sen was not the only one to discover the data.
This is the latest in a series of data spills in China. Earlier this month, a massive database of around 1 billion Chinese residents was hijacked from a Shanghai police database stored in the cloud of Alibaba and parties...
Popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security breach proved the app was neither secure nor encrypted after a huge cache of users' unencrypted private messages was discovered online.
The messaging app is widely used across Asia and has a growing international following with 20 million users worldwide. Google Play lists JusTalk Kids, billed as its child-friendly and compatible version of its messaging app, as having over a million Android downloads.
JusTalk says both of its apps are end-to-end encrypted - where only people in the conversation can read its messages - and boasts on its website that "only you and the person you're communicating with can see, read or listen to them: not even the JusTalk team will access your data!"
But an examination of the huge internal data cache, seen by TechCrunch, proves that these claims are not true. The data includes millions of messages from JusTalk users, along with the exact date and time they were sent and the phone numbers of the sender and recipient. The data also contained records of calls made using the app.
JusTalk website that claims nd use end-to-end encryption, but a reverse user data cache shows otherwise. Image: TechCrunch (screenshot)
Security researcher Anurag Sen found the data this week and asked TechCrunch for help reporting it to the company. Juphoon, the China-based cloud company behind the messaging app, said it created the service in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same desktop than the one listed on the Juphoon website. But despite multiple efforts to reach JusTalk founder Leo Lv and other executives, our emails were not acknowledged or returned, and the company showed no attempt to address the spill. A text message sent to Lv's phone was marked as delivered but not read.
Because every message saved in the data contained every phone number in the same chat, it was possible to track entire conversations, including children using the JusTalk Kids app to chat with their parents.
>Internal data also included the precise locations of thousands of users collected from users' phones, with large user groups in the US, UK, India, Saudi Arabia, Thailand and mainland China.
According to Sen, the data also contained records of a third app, JusTalk 2nd Phone Number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private cell phone number. An examination of some of these records reveals both the user's cell phone number as well as any ephemeral phone numbers they generated.
We do not disclose where or how the data may be obtained, but we are leaning towards public disclosure after finding evidence that Sen was not the only one to discover the data.
This is the latest in a series of data spills in China. Earlier this month, a massive database of around 1 billion Chinese residents was hijacked from a Shanghai police database stored in the cloud of Alibaba and parties...
What's Your Reaction?
