Messaging app JusTalk is spilling millions of unencrypted messages

Popular video calling and messaging app JusTalk claims to be both secure and encrypted. But a security lapse has proven the app to be neither secure nor encrypted after a huge cache of users’ unencrypted private messages was found online.

JusTalk says both its apps are end-to-end encrypted — where only the people in the conversation can read its messages — and boasts on its website that “only you and the person you communicate with can see, read or listen to them: Even the JusTalk team won’t access your data!”

But a review of the huge cache of internal data, seen by TechCrunch, proves those claims are not true. The data includes millions of JusTalk user messages, along with the precise date and time they were sent and the phone numbers of both the sender and recipient. The data also contained records of calls that were placed using the app.

JusTalk’s website that claims it uses end-to-end encryption, but a cache of spilled user data shows otherwise. Image: TechCrunch (screenshot)

Because each message recorded in the data contained every phone number in the same chat, it was possible to follow entire conversations, including from children who were using the JusTalk Kids app to chat with their parents.

The internal data also included the granular locations of thousands of users collected from users’ phones, with large clusters of users in the United States, United Kingdom, India, Saudi Arabia, Thailand and mainland China.

We’re not disclosing where or how the data is obtainable, but are weighing in favor of public disclosure after we found evidence that Sen was not alone in discovering the data.


Leave a Comment

Your email address will not be published.