Messaging app JusTalk is spilling millions of unencrypted messages

·3 min read

Popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security lapse has proven the app to be neither secure nor encrypted after a huge cache of users' unencrypted private messages was found online.

The messaging app is widely used across Asia and has a booming international audience with 20 million users globally. Google Play lists JusTalk Kids, billed as its child-friendly and compatible version of its messaging app, as having more than 1 million Android downloads.

JusTalk says both its apps are end-to-end encrypted — where only the people in the conversation can read its messages — and boasts on its website that "only you and the person you communicate with can see, read or listen to them: Even the JusTalk team won't access your data!"

But a review of the huge cache of internal data, seen by TechCrunch, proves those claims are not true. The data includes millions of JusTalk user messages, along with the precise date and time they were sent and the phone numbers of both the sender and recipient. The data also contained records of calls that were placed using the app.

JusTalk's website that claims it uses end-to-end encryption, but a cache of spilled user data proves otherwise.
JusTalk's website that claims it uses end-to-end encryption, but a cache of spilled user data proves otherwise.

JusTalk's website claims it uses end-to-end encryption, but a cache of spilled user data shows otherwise. Image Credits: TechCrunch (screenshot)

Security researcher Anurag Sen found the data this week and asked TechCrunch for help in reporting it to the company. Juphoon, the China-based cloud company behind the messaging app said it spun out the service in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same office as listed on Juphoon's website. But despite multiple efforts to reach JusTalk's founder Leo Lv and other executives, our emails were not acknowledged or returned, and the company has shown no attempt to remediate the spill. A text message to Lv's phone was marked as delivered but not read.

Because each message recorded in the data contained every phone number in the same chat, it was possible to follow entire conversations, including from children who were using the JusTalk Kids app to chat with their parents.

The internal data also included the granular locations of thousands of users collected from users' phones, with large clusters of users in the United States, United Kingdom, India, Saudi Arabia, Thailand and mainland China.

According to Sen, the data also contained records from a third app, JusTalk 2nd Phone Number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private cell phone number. A review of some of these records reveal both the user's cell phone number as well as every ephemeral phone number they generated.

We're not disclosing where or how the data is obtainable but are weighing in favor of public disclosure after we found evidence that Sen was not alone in discovering the data.

This is the latest in a spate of data spills in China. Earlier this month a huge database of some 1 billion Chinese residents was siphoned from a Shanghai police database stored in Alibaba’s cloud and portions of the data were published online. Beijing has yet to comment publicly on the leak, but references to the breach on social media have been widely censored.