JusTalk spilled millions of user messages and locations for months

Millions of conversations and call logs were stored in plaintext

Popular messaging app JusTalk left a huge database of unencrypted private messages publicly exposed to the internet without a password for months.

The messaging app has around 20 million international users, while Google Play lists JusTalk Kids, billed as a child-friendly version of its messaging app, has racked up over 1 million Android downloads.

JusTalk says both its messaging apps are end-to-end encrypted and boasts on its website that “only you and the person you communicate with can see, read or listen to them: Even the JusTalk team won’t access your data!”

But that isn’t true. A logging database used by the company for keeping track of bugs and errors with the apps was left on the internet without a password, according to security researcher Anurag Sen, who found the exposed database and asked TechCrunch for help in reporting the lapse to the company.

The database and the hundreds of gigabytes of data inside — hosted on a Huawei-hosted cloud server in China — could be accessed from the web browser just by knowing its IP address. Shodan, a search engine for exposed devices and databases, shows the server was continually storing the most recent month’s worth of logs since at least early January when the database was first exposed.

A short time after we reported that the app was not end-to-end encrypted as the company claims, the database was shut down.

Juphoon, the China-based cloud company behind the messaging app, says on its website that it spun out JusTalk in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same office as listed on Juphoon’s website.

Leo Lv, Juphoon’s chief executive and JusTalk’s founder, opened our emails but did not respond, or say if the company planned on notifying users about the security lapse.

Because the server’s data was entangled with logs and other computer-readable data, it’s not known exactly how many people had their private messages exposed by the security lapse.

The server was collecting and storing more than 10 million individual logs each day, including millions of messages sent over the app, including the phone numbers of the sender, the recipient and the message itself. The database also logged all placed calls, which included the caller’s and recipient’s phone numbers in each record.

Because each message recorded in the database contained every phone number in the same chat, it was possible to follow entire conversations, including from children who were using the JusTalk Kids app to chat with their parents. One conversation chain contained enough personal information to identify a pastor who was using the app to solicit a sex worker who lists their phone number publicly for their services, including the time, location and the price of their meeting.

None of the messages were encrypted, despite JusTalk’s claims.

We also previously reported that the database also included granular location data of thousands of users collected from users’ phones, with large clusters of users in the U.S., U.K., India, Saudi Arabia, Thailand and mainland China. The database also contained records from a third app, JusTalk 2nd Phone Number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private cell phone number. A review of some of these records show the database was logging both the person’s cell phone number and every ephemeral phone number that they generated.

But TechCrunch found evidence that Sen was not alone in finding the exposed database.

An undated ransom note left on the database suggests it was accessed on at least one occasion by a data extortionist, a bad actor that scans the internet for exposed databases in order to steal it and threaten to publish the data unless a ransom of a few hundred dollars worth of cryptocurrency is paid.

It’s not known if any JusTalk data was lost or stolen as a result of the extortionist’s access, but the blockchain address associated with the ransom note shows it has not yet received any funds.