3

My question refers to a behavior on a production system with more than 100 million chat users.

Some time ago I changed my account password and removed all devices connected to my account. The next day I noticed that during the night I still received all messages addressed to me by push notification on my mobile phone. Then I tried the same thing with another account and an emulated Android phone and ended up with the same results.

The app requires login data, but all private messages are still delivered to my deauthorized phone via push notifications. The deuathorized devices no longer appear on the account page as connected devices.

After about a week of trying to explain to the support team what my problem is, it was finally taken more seriously.
However, they can' t tell me what devices are connected to my account and who is able to read my messages right now. I was simply told that no suspicious behavior was noted.

I have been spying on my own messages from my mobile phone for over 5 months now.

Question 1: Do you have any idea what kind of problem this is and and how hard it is to write a fix for it?

Question 2: Could this situation possibly be applied to accounts that were never connected to the mobile phone?

Question 3: Who, apart from support, can I contact and how long should I wait until i approach someone else? I have already been informed that they might not get back to me.

robusto
  • 41
  • 3
  • If you reboot your phone, do you stop getting messages? My guess would be that your phone still has an active _session_, and they don't check that. Removing connected devices would then just remove the authorization to log in, so any device that then tried to log in (from being off the network long enough, or getting rebooted, etc) wouldn't be able to get in then. If so, then: 1) Ease of fix depends on too many factors, but likely easy, 2) Absolutely not (assuming no other issues) 3) Usually, disclosure guidelines say 90 days before publishing. Contact a dev directly? – Clockwork-Muse Jul 17 '20 at 15:52
  • No, it takes a little longer after rebooting, but after a few minutes I can read all messages again in real time. On my physical phone and on my emulated phone. I cannot talk directly to the developers, they have no other channels than public forums. But the support told me that my request was passed on to the developers. I think it is reasonable to assume that my messages are actually being read by someone else, which is why I originally changed my password. – robusto Jul 18 '20 at 11:43
  • @robusto do you have any update? – vidarlo Dec 30 '20 at 20:49
  • @vidarlo No technical updates. I contacted their data protection officer and received no response within 30 days. I have documented everything and this behaviour it is easy to reproduce. I think it will be best if I contact a state data protection authority with this. – robusto Dec 30 '20 at 21:01
  • https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html is perhaps worth a read in this situation! Thanks for the update :) – vidarlo Dec 30 '20 at 22:26

0 Answers0