
Puff Puff… Pass - helmut_hed
http://faptrackr.org/blog/?p=70
======
MichaelGG
Terrible response by the Puffchat guy:
[https://twitter.com/MikeSuppo](https://twitter.com/MikeSuppo) (Google Play's
dev listing goes to the Puffchat blogspot site, which links to this Twitter
account.)

    
    
      "This is a friendly message to advise that you remove all web based content about Puffchat"
      "Please remove within 1 hour."
      "Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him."
    

Edit: Actually, this could just be a publicity stunt. Do something boneheaded
like this, get some exposure. Take flak from users that don't necessarily
matter, and hope to score a lot more users. If you're not getting the growth
you hoped for, what do you have to lose?

~~~
lostcolony
Maybe. But a publicity stunt that highlights findings that run counter to what
you're trying to sell the platform on seems dubious.

~~~
madaxe_again
No such thing as bad publicity. It gets the brand known "oh, yeah, puffchat,
I've heard of that, can't remember why", and if they tell users that it's
secure often enough, no amount of evidence that it isn't will make any
difference - humans respond more strongly to an authoritative voice than to
objective reality.

------
nthitz
[https://twitter.com/sexysez95_sarah](https://twitter.com/sexysez95_sarah) \-
fake account promoting puffchat seems pretty sleazy.
[https://twitter.com/Queenselfie96](https://twitter.com/Queenselfie96) also
seems suspicious

~~~
NinjaLikesCheez
Yeah they are pretty awful, the funny thing is they're the most popular
accounts on the app :/

~~~
deletes
This is what reverse google image search says:

[https://www.google.com/search?tbs=sbi:AMhZZitfuTwYMbUV9Yv-
cR...](https://www.google.com/search?tbs=sbi:AMhZZitfuTwYMbUV9Yv-
cRe1NglS6qFuLRc6ikY-JCs6BECRoQmtvQkK05jVpEICnI0Luv3MOP9Q411fSI7JTGJ--
O8iVNEJjDTIzs1Z34QBC5sJdzAZqhItaFpEZJHfAFfZbwnLxOmtVucemBgn2dLJdiX1CU06e6Vsc9G1VL02jSRBvtFlAv7d27ps1ieeKY061xTS0JhETEKEXzNYwPVDmExl9JAZq2fqizPgezq7g6yR4fh-
yVpmMUW0zXmFhJU7GW6VQp9DvSoD4NbOHQ-
maftsa0LLRXRC4a7dU90Uri5ZSI0J3i8zjP_1lh3sWUIcxmLzaQiYfG6WO8YOPw3Eeeb7LpsD6D9bX-
PqkkSzkYUB62AgXMIkVwFJvb20jbpDx-6mys-
izzbrtuC7mQqV55qiPbYYX7jKu9pBpsEojqCBmeRruvrWhzf5k-Diusb08a8x-xKX83LXg67sMDs3P9iWW_1dKpFkRAonFMTcax0SG3YbKuubO94wk9daIPvYFNcP7Bac87wSWWTiaiqRq0g1opy0vIavwPa_1P8u5wGkJXQAsNX9zIf8VlFhr1Jidv3aIdbbqUQt2zBp2VTgWdayqkeEz7-AX86ZIwYJOJ0L5C8RMg3L5jlQbvcFuhqR-k9nZX1ZRDd0oRwLS-u5vLJbC0zNOOhrUGS2BBC4S4-g_1cl5R8_1lJ0BK7kJVVWh_1auS5ZAN4Cb3P4UWealrojTPXlkQimE8sqzLda_14lszBiSlSNDjILTuhZTsGLzyCvFo6sT59Eu5xJ6tJfO0o_1R56FcZ9dyg5dsU8KLhuq5GiHWcIolkQijlY2BQnurStpVE6PPtk9j05D8OqRUfaBsoLsPG1_1Zt4KF-L9RtIGMkTeG2Z2unNkTCv9HsdW87jLmpO4P9BB33JlriHOsPjz8uW9DZHz4GP-
NXdKr-
ItCjkiR_1Tfivz7bUWT_1hWAprIVwjMxNlMv_1fCZBLrbzZQbPkbXhaBrRfp68tgQ-_13E0eaJj5-wTwpUsz82FlsGkOoTGwPC5rj_1lnEuQJsFgfVhkB_1C8Mw3YaTTQAAKroK8PBJveAqIBzHWlsy8mPEQT-_1rlohiCxzgROimXvPvZtWuEBw5NdH6KADF2ZJcEuKNcBmvIqoX7HGoC-
BmHKNazkEjY4sY09oFEuJfE3JAeP5nwpqV2YjqoFUvz7kikg2k9ToDDMBG7OtiiRz6jySHLLj3ABxQkMzbGVh85mmMrvqrVgAuqvzZdWk8jlOaRVNIY-
zce51qtbixWgyKkGpITkFtjgVSpJBS0fR6dZYSQ59Ur3TlVCKVdRm8g)

Her actual account:
[https://twitter.com/rachelburr1](https://twitter.com/rachelburr1)

[https://www.google.com/search?tbs=sbi:AMhZZivEFJQlM8ezy2mFjo...](https://www.google.com/search?tbs=sbi:AMhZZivEFJQlM8ezy2mFjoj9r_18Clr57pJRRCg96Gv4UU1utX_1PHmP3Q6VzHYXBrcS0I0fpR-
M-w2zlSLv58hVfB47skUroR_1YuFHd_19MXb0ZbYl2Ho4q5F1Ct4Ua2z3DqFmfApJSmXb-
Tnjd7r7wBvJIOeJJggayE5Cr1uowNk3bQZn0JhLbwtm-
nsJ3nodICMHchuW6OdqhiY28HAmXEyxoRkghoHe3X-pi4UH8dv72kbYg9_1D4DOtX8pS_1elR9lWZ2CyWI9qlliIAnU8z1igRX26RNcr3CJz9A-H0D8Lre9S7VqBrmGTz_1ijTGnZ4G_1pjnjXjTETf_19t3H7SCznwOnnO21Fo0nIVvbTlF0IMc4gwUlbsrLXGTynQfg2d_1IPScUpjl26EG8z1jlqBwJ9MrJaB5IKglMCBepEPQuwo7rslVGvwd83NpPxqu2QWL4TAW3RIqj42aQ-
XPh-L6ooyxn5rtQsUtrEiFBUP3r6iXoE0eh_1Q6h2Re0n-MN4FUtoamaUMboHpUV8BcTwWpuZbZOhwqnboddxwI3Bsl0hQmtZEVkfYFvn3t8v3SK8qa_1OYMm53f7iurqvoapZC3bIdeN7I45Gz0CeZFFPuMBA0a012XPf_1f4RoX-
dJu3if403mzL9XkFIxfYEEEG8oNwWB7fwT8jROwVsqXQZ6q8ZdUNGbhoXNph_1VenQFyxhFv20Jr-F82UAtdZjMIQ4VULjCI5rZrTQAcSAnlNzgPtCMGMFf9z6rL36DdqvZfK_1zTluTniU7kyQHwRqR_1RPahqmBhChsxnsmx6sVNS7l26LQxz6plpbAUdiKpLBZ6EahUo520ihY-v6cdpKJgXFWMOj3SSXO_1YAW02xRHu2GytlYZ_1KA8oAjCJSoe3ewTQPweifwmdQ-T8v0l0273G77Q-FL8UKF2LZqGSp6KImcstXs-M4hNeyTz4nL0OB_1qwDbjQOg0Y569NbgJIKBQTgzFNLUUi4Gks7EssL_1WxzSFgE_1pEa2IbXylhQghAIqpXiCp5lBfbGnjaB10_1AvLom2lvwR7vbLv0qUbe9YzHeB_1hGyKOFRcShMKQlf90GBz4ZLZssRrnl0LS7x5WXZ9OtoTtT9yvcAh0dyERJM7Rhj6qA9T2RgjE68QW6Y76VtRy6tqpdnn6G1XVGXu5_1yANHnoorTvCZI1Zy7eLvNaCaZ1EeMahz3_1xP7_1m0fj1U6DLYmaMkXYuYWw_1r8_1Xsd9QizvcdmFhjGfovLqs1l3wZxV4Km0E1MKZJrY2LWkqc4QDJRaEXV-
JGVGlmm1DsuChf3IxQOPzsVVnqy6p4MZrXfcyTWkCCTKxX7v26E)

And her account:
[https://twitter.com/ashleeholmes](https://twitter.com/ashleeholmes)

Either they really like puffchat and they made separate account to promote it,
or the pictures were stolen and the accounts are fake.

~~~
NinjaLikesCheez
Yeah I did an image reverse on a couple of her pictures earlier:
[https://www.google.com/search?tbs=sbi:AMhZZisLJGBQtjlgs7XolU...](https://www.google.com/search?tbs=sbi:AMhZZisLJGBQtjlgs7XolU-
ad-
EByemizzBqx8LaVOshozoApL9Oy1tizC2Z5e-BX6B7b5wciUdhIWVpSBIuUhD6k-6cRjLo_1coLWCFIq7aPk5Gp3jr7uewfLdk-A9hyZbivX-2CfDbBvHvc7hKyukn7EXMGpUFjysBUMWGy5aU94SkraevwLXvJrnWboZZ633t8Yf2vlEbPQOhMcUsqCNJGKle-
EO9LZeTWHp4bOO_1LyQDmCv78xu418i9-5bZV7y9TLOZ7_1KTRb7VToqTTJZG863h900YFDnguXp6-v5Bj7WY-_1_1ImEG2_1eqZGIv6Oom3_1l-05uFzG6w_1hFZBRmZy_1qaYcqf_1a0iFT8HdM7qtpnZTk-
JT5xNX12nzws3V0GlIdyczA7w_1PpEu5PBcbHlKjzrgkBNbu97VAM2qyy2ufjK7Ib4OWD1yJfT10VqiM6T-aV0iEAgXnSGFbC3yLQp2R9RMCGpsZgfLiaVyXfmxBlQr23ggS6EjZ88zEx4dlYG1787vpxKN4kSH8hAgOUAm9_19pn5IIbdLccHBu0t5edbxWMLlJnqPsERkXdoNYo8eAb2XQRnI3AHr69FglEoI1fSffT6F3arncJgouO4RhHvkRP7sP6Qw6PzgGM_1vqskUw-W01HMFQ2htr4PEy3BngD7PUXh1e0Xd50wJBoAtS9Q0mXNbRLBzM9UiHhpswk1v1QRj0d19o-FnIJHJDicBhPlNZuqlmPSot7A_1dwHznAQkYn6MbBOxxF4e5PRS0G0fEA2W_1qRiKTVwAqmcMT0lSSkel837fr6odPdhA9q6stlrLeeTEsI6WfD0aQHEz9SSv8xYLYodeuSuByMc8EI9bgYaX6ABvnTHBzw4ABj0Dj4Y2zcoohziaTWfdxTZ0n9nZq7mtdYf1APNKIe2qsvkjPD-
TNi6wG8dezgYFHrV8IdYKUR886UyHW33nVzCGmwOIujgLtFze6yB9X2Md4Mgg_1El0pSmz7q60DrxSK1ePj39BXndXCwv4c-Gyhc3fFzIr4b9_1O_1uiV58xuxw25_1oBhaLbB5SdME1MwEP0hpTB5Np5DyyJhNr2Q8bXvgXdy_1IKGmjGTG1V9rEVjGAWs2EtW6mWl6N7IO2s9ELG2fmGvyIVSrYe62rAhoXhPEuPeS4D_1uM3f2ij-
VcMqslNk2TxsFcAVdi3iUjui4Nulc8C-jCIq9bH9qNu0m-sGM-6A0JiRFQ8_1zowgvjTinShTRQIR4-qZ8tMRbdYEDeXSFKhqZwUKu9_1wQ6-jPyOSVgp3u0JMNUELAQnWIwphhuVCfLZcsU9J9PK_1tw)

Most of the stuff she sends you can see the pixels of the computer screen she
is taking them on haha

------
tylerlh
I'm not seeing where the "intimidates security researcher" part mentioned in
the title comes in. Am I missing something?

~~~
nknighthb
Seems the founder thinks he can suppress speech through tweeting:
[https://twitter.com/NinjaLikesCheez/status/44064551256879513...](https://twitter.com/NinjaLikesCheez/status/440645512568795136)

~~~
tylerlh
Thanks for the link! I thought I was taking crazy pills.

------
helmut_hed
You can read the founder's response to the disclosures on Twitter
[https://twitter.com/MikeSuppo](https://twitter.com/MikeSuppo)

~~~
doktrin
Reading his responses, the entire app feels like a bad attempt at trolling.

In any case, nice write up. I enjoyed reading it.

------
deletes
And it is all over the internet:

 _Blog’s going offline while we bump the specs so we can deal with all the
traffic, bear with._

I expect to see some articles tomorrow.

First one: [http://www.tuaw.com/2014/03/03/snapchat-competitor-
puffchat-...](http://www.tuaw.com/2014/03/03/snapchat-competitor-puffchat-is-
incredibly-insecure-founder-thr/)

------
NSAID
I'm not too impressed with the blog's author either. He documents breaking
into another website in a previous blog post:
[http://faptrackr.org/blog/?p=45](http://faptrackr.org/blog/?p=45)

~~~
hrrsn
That website hosted pirated copies of iOS apps, so it's not as bad as it
seems.

~~~
deletes
It seems OP is in similar business.

[https://github.com/KJCracks/Clutch](https://github.com/KJCracks/Clutch)

~~~
iNeal
Piracy is not the only reason why you would decrypt an app.

~~~
bennyg
Exactly. A lot of people don't know that you can easily crack a .ipa binary
and see things like method names and string constants with about 5 minutes of
work. You can do the same with Android .apk files. Seriously, if you're doing
security intensive software, try to crack your own binary and see what
information you can get. You'll probably see way more than you thought you
would.

------
netman21
Take a look at vaportstream. They have ephemeral messaging that leverages vram
to hide the messages from the kernel. Pretty secure.

------
primitivesuave
They really need to make a secure version of this app. You'd be saving
thousands of burner phones from entering landfills.

~~~
MichaelGG
Aren't burner phones that way because you want to ditch the entire phone to
erase any link to you after using it in an incriminating way?

Even if this app was "secure", it wouldn't prevent the need to ditch a phone.
LE can subpoena the company, find out which IP:port connected for whatever
user/message. Then go to cell company and get records and track the cell.

------
pistle
1\. Create snapchat alternative to try to harvest sensitive content & info.
2\. Profit.

There is no platform or space, in someone else's control, that you can or
should trust this way.

------
en4bz
From Founders twitter:

> provide evidence that can be used against him.

So is the founder trying to mount a legal case against him for hacking?

~~~
lstamour
11 (or is it 12?) months in, Andrew "Weev" Auernheimer is still serving a
3-year conviction (on appeal now) for "hacking" the AT&T iPad signup script to
get email addresses out of it ... using a web request and random numbers. In
case that's not clear enough, it was published, public data waiting to be
requested, no security restrictions except the numbers to be guessed. I'd say
that's the same for any such "private" (hah!) service that uses ID numbers to
access data over public channels, wouldn't you?

------
wudf
@notacop See what great work you could be doing if you would participate in
the year of code?

------
sergiotapia
Ultimate Streisand effect - I have literally never heard of this app that
seems geared towards drug users; and yet I learn about it from it's
incompetance.

How do people release public API's without THE MOST BASIC OF SECURITY CHECKS.
Really? You can add a friend without any checks and even send messages as
someone else? Christ.

A) Who funds these guys?

B) How can I get a piece of that seemingly-easy-as-hell-to-get pie?

~~~
nknighthb
I triggered executive-level uproar just yesterday by pointing out what should
have been obvious security issues in an API we were about to be asked to
integrate with. I was not the first technical person to look at the document
we were given, and in fact I was the only one to look at it who couldn't
actually read it in detail (it was in Chinese, I only speak English, but the
identifiers were in English), but nobody else had spotted the problem.

I'm not a roving security consultant, so my sample size is limited, but I have
seen little evidence that even basic security awareness is part of the toolkit
any substantial number of developers have.

~~~
jmngomes
Agreed, and I think that's when a (good) CS education makes the difference, by
helping you grasp how t design and code for security, which are fundamental
concepts that a lot of "junior" developers have no clue about. And then you
see the same basic attack vectors creeping up all the time...

~~~
nknighthb
I have no CS education. I don't have any degree, or even a high school
diploma. Most of those around me have had CS or related degrees, many from
quite well-regarded programs, but there has been no apparent correlation to
security awareness. To the extent they have an edge, it's in mathematical
analyses and algorithm design/implementation[0], which are of limited direct
use in most day-to-day things like noticing "this endpoint uses plain HTTP",
"this isn't an HMAC, also serial numbers aren't secret keys", or "a 4-digit
PIN is not a secure password".

[0] And even then, I've wondered more than once what the hell goes on in CS
programs when I've found myself explaining concepts like entropy and the
difference between speed and scalability.

------
mpchlets
Hmm, did you just post this "disclosure" on your blog before informing the
company? Well, now everyone is at risk if your claims are true. Poor form.

Proper course is to disclose to company first, then disclose after fix is in
place in reasonable amount of time. Why risk everyone for your benefit?

~~~
zorpner
As you can read in the article, he did try to contact the developer.

That aside, though, when the issues are this egregious I'm honestly not sure
what the right approach is. With flaws this bad it's hard to imagine that
they're even capable of fixing the problems, let alone responding
appropriately to the disclosure.

~~~
hrrsn
They seem like really easy problems to fix, too.

------
endlessvoid94
This needs to be a part of ThatHigh.com :)

Except, you know, not sketchy.

