JusTalk left a huge database of private messages exposed to the internet without a password.
The messaging app has 20 million international users, while the JusTalk Kids version of the app has over one million downloads.
JusTalk says that only you and the person you communicate with can see, read or listen to your data, even the JusTalk team won't access your data.
That isn't correct. A logging database used by the company for keeping track of bugs and errors with the apps was left on the internet without a password.
The database and hundreds of gigabytes of data are hosted on a cloud server in China and can be accessed from the internet. Shodan shows that the server has been storing the most recent month's worth of logs since early January, when the database was exposed.
The database was shut down after we reported that the app was not end-to-end secure.
Juphoon, the China-based cloud company behind the messaging app, says on its website that it spun out JusTalk in 2016 and is now owned and operated by another company.
Juphoon's chief executive and JusTalk's founder didn't reply or say if the company planned on notifying users about the security lapse.
It is not known how many people had their private messages exposed by the security lapse.
The server was collecting and storing more than 10 million individual logs each day, which included millions of messages sent over the app, as well as the phone numbers of the sender, recipient and the message itself. All placed calls were recorded and included the caller's and recipient's phone numbers in the records.
It was possible to follow entire conversations from children using the JusTalk Kids app to chat with their parents because each message contained every phone number in the same chat. One conversation chain contained enough personal information to identify a pastor who was using the app to solicit a sex worker who would list their phone number publicly for their services, including the time, location and price of their meeting.
JusTalk claimed that none of the messages were protected from eavesdroppers.
Large clusters of users in the U.S., U.K., India, Saudi Arabia, Thailand and mainland China were included in the database. JusTalk 2nd Phone Number is an app that allows users to generate virtual, ephemeral phone numbers instead of giving out their private cell phone number. The database was logging both the person's cell phone number and every ephemeral phone number that they generated.
Sen was not the only one who found the database.
The database was accessed on at least one occasion by a data extortionist, a bad actor that scans the internet for exposed databases in order to steal it and threaten to publish the data unless a fee is paid, according to a note left on the database.
It is not known if any JusTalk data was lost or stolen as a result of the extortionist's access, but the address associated with the extortion note shows it has not yet received any funds.
Messaging app JusTalk is spilling millions of unencrypted messages