Recently, Dylan Roussel shared a tweet expressing his concerns regarding the data vulnerability of the CMF Watch app, saying that user’s data is at security risk.
After the launch of Nothing Chats app, Dylan was the first person to point out the issue of Nothing chats having data privacy concerns and chats being not end to end encrypted. That tweet came into the limelight, and eventually, nothing had to be done to remove their chat app from the Play Store.
Recently, he tweeted a thread explaining how the CMF Watch Pro app is not encrypting user data and how nothing has responded to his report. So, he first reported this data vulnerability issue to Nothing in September during the Nothing chats and Sunbird chaos. He found out that the CMF Watch app is developed by a company named Jingxun and based on React Native.
Further researching the app, he found that back in September, the CMF Watch app was encrypting both the email and password, which the user uses to log in to his or her account. But the problem was with the encryption method; the method allowed anyone to decrypt the email and password with the exact same keys.
If anyone had their hands on an encrypted email and password, they would have been able to decrypt them, which makes the encryption useless and a concern for user’s data.
He submitted his report regarding this issue to Nothing’s team, and the issue was partially fixed as the encryption method for the password was updated, but the email was still at risk and remains to date. Dylan also stated that Nothing replied to his initial report but now they are not responding to him.
The vulnerability still exists, and it has not been resolved completely. Both the user and internal data is at risk. Furthermore, he also expressed concerns about the lack of a public email allowing people like him to contact regarding such vulnerabilities.
YOU CAN FOLLOW US ON– Telegram, Twitter, WhatsApp, and Google News