HN

Comments (264)

• Menu

  josh2600
  This is why signal’s encrypted phone number lookup system is so cool. The server uses a bitwise xor when querying for numbers using hardware encrypted ram. The result is that even if you’re examining the machine at the most basic levels you can’t tell the difference between a negative or positive hit for the phone number unless you’re the phone requesting the api.Obviously ratelimiting is a separate and important issue in api management.The thing about building secure systems is that there are a lot of edges to cover.
• Menu

  codedokode
  > What’s going on in that user object? The pin field seems suspiciously related to the PIN we were asked to input after creating our accountThis might be the fault of opt-out serialization library (by default it serializes the whole object and you need to manually opt-out fields from it). So a programmer adds a field, forgets to add opt-out annotation and voilà.Or they are just using plain JS dicts on the server and forgot to remove the key before using it in a response.> The vulnerability they’re talking about was presented in a paper by researchers at the University of Vienna.This vulnerability (mapping phone numbers to user id via rendevouz API) is old and was exploited in 2016 in Telegram [1] and allowed Iranian govt to build a phone book of 15M Telegram users. The paper also mentions that the vulnerability was known in 2012, still not fixed.[1] https://telegram.org/blog/15million-reuters
• Menu

  ericmcer
  It's crazy how many security vulnerabilities are just people pinging http endpoints in ways they didn't expect. You would think in order to "hack" a system in 2025 you would need to be doing some crazy computer science wizardry but it really is just lazy engineers. Like how do you ship an API and have no rate-limiting. It literally takes a line to implement in Nginx.
• ben_w
  > but I like to provide only the best blog posts to my tens of readersIt may not be pertinent to the subject, but clearly I have found a kindred spirit in this author.
• hypeatei
  Does Freedom Chat® have a feature to prevent journalists from joining your group chat? Asking for a friend that works at the DoD (sorry, DoW)
• Menu

  Arch485
  If I had a nickel for every "secure" app that handled sensitive user data and then subsequently leaked that data this year...I'd only have 20 cents, which I guess is good. But I'm sure there's more I'm forgetting.Related:[1] https://news.ycombinator.com/item?id=44684373[2] https://news.ycombinator.com/item?id=43964937[3] https://news.ycombinator.com/item?id=45985036
• password-app
  This is why I'm skeptical of any app claiming "super secure" without open-source verification.The real lesson: assume every service will eventually leak something. Use unique passwords everywhere, enable 2FA, and rotate credentials after breaches.The tedious part is the rotation. I've seen people skip it because manually changing 50+ passwords is brutal. Automation helps but needs to be done securely (local-only, zero-knowledge).
• Menu

  CodingJeebus
  I stumbled upon a GOP jobs board a year ago that stored submitted job applications in the same search index as the job listings themselves, so all you had to do was search "bob" and find a bunch of resumes and application answers for people who had applied, I couldn't believe it.
• Menu

  sigwinch
  Since Anom, we need a new word than “honeypot”. The next secure messenger will not be created by these types. But many will be incrementally marketed, and each campaign will succeed in reaching a new batch of near-hit recruits.
• pavel_lishin
  > 2025-12-09: Freedom Chat notifies us issues have been patchedHave they?
• Menu

  higginsniggins
  When you go the website the first line is literally “Say hello to Freedom Chat—a next-generation messaging app that keeps your conversations actually private
• nielsbot
  > Neither of us had prior experience developing mobile apps, but we thought, “Hey, we’re both smart. This shouldn’t be too difficult.”Is this an actual quote? Because it sounds like a standup joke.
• fn-mote
  I’m glad “super secure” is in scare quotes.I’m glad I have never heard of this app.Security and trust go hand in hand.
• Menu

  Havoc
  When something is "super secure" you know it's full of holes. It's right up there with "impossible to hack" and "military grade" aka lowest cost bidder.
• Menu

  kevin061
  Why would you use a messaging platform that requires you to sign up with a very difficult to change piece of information that in many countries is tied to your ID and pretend it is secure?looks at SignalOh.
• anon
  undefined
• LordGrey
  > Screenshots aren’t really crucial to anything being discussed here, but I like to provide only the best blog posts to my tens of readers ....A sentence clipped from a point a little past the introduction, but catchy nevertheless.I suspect there will be more than "tens of readers" shortly.
• Menu

  netfortius
  Why in the world would any sane person utilize such an app, knowing what kind of people will be "at the other end" of communication, and what topics would be discussed, even if the most secure piece of software ever developed?
• nunez
  Wow; that's a 101-level exploit.
• TZubiri
  For every conscientious hacker that tries to do everything right and have a secure and reliable app. There's ten naïve hackers that just publish whatever.
• sneak
  This is the same thing that sent weev to jail when he and JB did it against AT&T to determine the email addresses (instead of PINs) of every iPad 3G user.
• Menu

  ryandrake
  I love the quote the article starts with:> Neither of us had prior experience developing mobile apps, but we thought, “Hey, we’re both smart. This shouldn’t be too difficult.”I think, 40 years from now when we're writing about this last decade or so of software development, this quote is going to sum it all up.
• Menu

  whoknowsidont
  Why does the title not match the article? It's under the character limit.Original title is: “Super secure” MAGA-themed messaging app leaks everyone’s phone numberI think that's incredibly important context. Instead of conferring with actual experts in the field, the populist, fascist segment of our society just decided to wing it with technology.They BELIEVED they were more secure, with no evidence to back it up.
• Menu

  aanet
  The emoji :facepalm: was invented for exactly this...
• Menu

  lettergram
  Feels a little like clickbait "MAGA-themed", never heard of Converso.That said, the analysis itself is interesting and worth a look, if nothing else it's a general pattern you can follow for many chat applications to see how secure it is.
• UniverseHacker
  It appears that one of the most central aspects of MAGA is a postmodernist rejection of the very existence of expertise- except, ironically, in the art of grifting itself because they see “recognized experts” in any field as just very successful grifters. Hence replacing competent government employees at every level with incompetent employees. It would track that technology developed for and by the MAGA community is developed with the same philosophy. Anyone planning to buy the Trump phone?
• Menu

  theultdev
  Freedom Chat just looks (and sounds) like a grift tbh.The website doesn't really spark any confidence.Never heard of it and I'd be surprised if they have more than 100 users.
• anon
  undefined
• LetsGetTechnicl
  Accusing someone else of a crime/problem/whatever that you're also currently doing? Well that's just the MAGA way.
• Menu

  tonymet
  Can those of you writing off half of America as “ignorant “ or “anti -science “ please move those comments back to Reddit. And what conclusions did you draw when obvious left leaning apps were breached ? FB, LI , Washington Post , twitter (pre Elon) all had breaches . Does that mean left and right leaning Americans are all ignorant ?I don’t take any offense , but I do have high standards for this forum and cringe comments make me less likely to hang out here
• Menu

  shevy-java
  [flagged]
• Menu

  cdrnsf
  [flagged]
• Menu

  billy99k
  [flagged]
• Menu

  ActorNightly
  [flagged]
• Menu

  agentifysh
  I'm curious why a Canadian is so hell bent on causing more division in America by embedding his political views in an otherwise decent vulnerability analysis.He makes it sound he's on some sort of a mission...like the users of the messaging app ( which I have never heard of before until today ) should face some sort of backlash for their own political views opposite of him....which is amusing to say the least as Canadians seem to have permanently marked conservatives, not just in their own country but all over the world as "MAGA".also I'd appreciate if we can keep politics out which just detracts focus on technical end of things
• UberFly
  The comments here are a disaster. Who could have predicted this???