- The app exposed real-time chats and private chats of around 10 million users.
- The unsecured server remained accessible even after the researcher notified the company behind the app.
A security researcher discovered an unsecured server belonging to a Chinese app exposing chats and private photos of around 10 million users.
The big picture
The security researcher Darryl Burke discovered the Chinese app Sweet Chat exposing the chat contents and photos of over 10 million users through an unsecured server.
Burke noted that anyone with MQTT related tools could view real-time chats and private photos of all the online Sweet Chat users.
Further analysis of the exposed data revealed a significant amount of bot traffic generated on the app. The researcher suggests it was used to lure users into spending credits or to send various gift cards for financial gain.
About Sweet Chat
Sweet Chat is a Tinder-like Android chatting application. It had risen up to the top 10 social apps in Latin America, the Middle East, and some other regions. It is currently expected to have around 10 million users.
Sweet Chat uses the MQTT messaging protocol for the standard publish/subscribe features in the app. A flawed implementation of the MQTT protocol can lead to exposure of private data.
What data was compromised?
The unsecured server belonging to the company exposed real-time chats and private photos of all the online users on the Sweet Chat app.
How did the company respond?
On July 21, 2019, Burke notified the company behind the app regarding the unsecured server. However, by August 9, the server still remained unsecured.
On August 12, 2019, the researcher noticed that the exposed server was secured with a temporary fix. However, the researcher suggested the company required major design changes to fix all the issues.