How Snapchat imitator Puffchat managed to do everything wrong

Snapchat imitator Puffchat is like any dime-a-dozen startup, attempting to capitalize on both the failures and popularity of its likeness.

Except it seems to be really extra good at the failures part.

When security problems somehow worse than Snapchat's notorious (and avoidable) December security disaster were brought to the attention of its UK based founder Mike Suppo, things went from bad to worse in what can best be described as an incurable, likely fatal case of being a complete idiot.

Unlike Snapchat, Suppo chose not to continue ignoring the problem. Suppo simply decided that the problem was the hacker's public disclosure of Suppo's security failures, and also the problem of the hacker's total actual existence. And facts.

Suppo took immediate action and threatened hacker Thomas Hedderwick on Twitter.

Unfortunately for Suppo, his Twitter account is no longer under his control as I write this. It looks like this:

The person currnetly running Suppo's account has placed a screengrab of Suppo bragging in a text chat about how cheap and easy it is to hire app developers in India.

Welcome to the internet, Mr. Suppo.

Hedderwick's February 22 post expressed an open plea to fix Puffchat, and explained that he tried to contact Puffchat's development team:

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.

TUAW described the lead-up perfectly, with their own experiment:

Puffchat, a timed text and photo messaging client in the vein of Snapchat, is broken. So broken in fact that I, with very little knowledge in the way of HTTP sniffing, was able to access supposedly deleted photos and messages using a free-to-download security testing application. Yeah, it's that bad.

Remember, this is supposed to be a Snapchat competitor, and that company has already learned its lesson when it comes claiming that content has been deleted before it actually is.

The iTunes description of Puffchat uses words like "vanishes" and "ultimate protection," but offers neither to the user. In fact, the images shot by Puffchat users are stored as simple JPEG files on the company's Puffchat.me server which can be accessed freely as long as you know the address.

Puffchat's description in iTunes asks users for embarrassing photographs and information, specifically inviting teens, and claiming that Puffchat "works like magic."

Magic, indeed:

To Suppo, Snapchat is a mortal enemy against which he'd hoped to rally faithful users for horrible crimes against their privacy. A call to action on Puffchat's website cleverly circled in everyone's privacy hero, Mark Zuckerberg.

From Puffchat's blog:

What's more alarming is seeing what security- and logic-challenged Puffchat stores about its users. To experience true freedom (from privacy?) we only need give up the exact information required to completely open us up to identity theft.

Hedderwick explained in his frustrated initial disclosure post:

Puffchat popped up on my Facebook Timeline this week with the claim of being a ‘secure’ alternative to Snapchat.

Puffchat’s registration asks for three pieces of information – Email, Password, & your Date of Birth. If these are acceptable it then asks for your desired username  & access to your contacts. A lot of applications these days ask for access to your contacts, yet a lot handle your data incorrectly. One of the first things Puffchat does is upload your address book (via HTTP) to their ‘secure’ severs (...)

Hedderwick continued, "Turns out that searching for anyone gives you their registered username (not bad), birthday (wait what?), and registered email (which is shown in the app under their username)."

Not only that, but you can do almost any operation in the API on any account without access to the account or local access to the device.

Here comes the kicker: Nothing is deleted automatically (even when the message is read). It’s all their in the API responses.

{“success”:true,”data”:[{"id":"***","sender":"***","sender_email":"***@***",

"receiver":"***","receiver_email":"***@***",

"text":"hi babe send me back","filename":"***","time":"***",

"duration":"10","status":"Read","is_taken_screenshot":"0"}

You can clearly see the server knows the message has been read and yet it remains; it's downloaded to your phone every time you make a request for your messages, the client just doesn't show it to you... and yes, that includes the nude d*ckpics you've been sending to that account. To top is all off, you can visit the pictures publicly and see via their site - nice! This is an incredible breach of privacy, and a blatant lie to their customers. It's 'secure' but no SSL, it's 'secure' but I can control your account remotely, it's 'secure' but I can see your junk on the web by visiting a public page.

After the disclosure post went live, Suppo began to obliquely threaten Hedderwick with legal action - which makes total sense because Suppo's Puffchat bio says, "I actually trained to be a lawyer."

Since everyone can see that Hedderwick's bio does not say that he was trained to be a lawyer, so naturally he took the issue of disclosure and threats to Reddit's netsec community.

For some weird and probably unrelated reason, Hedderwick's post was reported as inappropriate and removed by admins within a few hours.

Before it was removed, it looked like this:

This story was brought to you by the letter "B" - for Bubble.

If it wasn't for those damn meddling hackers, everyone would be cashing in on the ease of lying to users about the mysterious dark voodoo of security.

Oh, right.

Sorry.