Messaging app Freedom Chat recently fixed two serious security flaws that put its users at risk. One flaw made it possible to guess registered users’ phone numbers, while the other exposed user-set PINs, which are meant to lock the app, to others using the platform.
Freedom Chat, which launched in June, markets itself as a secure messaging app, emphasizing that users’ phone numbers remain private. However, a security researcher discovered vulnerabilities that contradicted these privacy claims. The flaws meant that both phone numbers and PIN codes could be obtained by anyone with minimal technical know-how, highlighting significant gaps in the app’s security.
The vulnerabilities were reported directly to Freedom Chat by the researcher, who noted that the app lacks a formal public vulnerability disclosure program. Upon notification, Freedom Chat’s founder, Tanner Haas, confirmed that the app had taken immediate steps to fix the issues. The company released an updated version of the app, reset all user PINs, and implemented stricter server-side protections, including enhanced rate-limiting to prevent mass-guessing attacks.
The first flaw allowed someone to enumerate users’ phone numbers. By exploiting the app’s server responses, an attacker could flood the system with millions of guesses to determine if a particular number was registered on the platform. According to the researcher, this method made it possible to identify nearly 2,000 users who had signed up since the app’s launch. The technique mirrors recent academic research in which billions of phone numbers were matched against messaging app servers to collect user account data.
The second flaw involved leaking users’ PIN codes. The app’s backend would inadvertently share PINs for all users in a given public channel, even if the codes were not visible within the app itself. This meant that anyone in the default channel—which all new users automatically join—could see the PINs of others. Knowledge of a user’s PIN could allow an attacker to unlock the app if they had access to the user’s device.
Freedom Chat clarified in an app store update that no messages or conversations were ever at risk. The company emphasized that because the app does not support linked devices, users’ chat histories remained secure. Nevertheless, all user PINs were reset to prevent unauthorized access and strengthen account security. Freedom Chat reassured its users that privacy remains its top priority and that the recent update addresses the previously exposed vulnerabilities.
The founder, Tanner Haas, also indicated that the app is removing instances where phone numbers might have been visible to other users. This, combined with the new rate-limiting measures, is intended to prevent any further mass-guessing attacks on the platform. These steps reflect a growing trend among secure messaging apps to respond quickly to discovered security flaws and proactively protect user data.
This incident is not the first time Haas has dealt with security concerns. Earlier, another messaging app he developed, Converso, was delisted from app stores after vulnerabilities were found that exposed users’ private messages and content. The swift action taken with Freedom Chat shows the company is prioritizing user safety and learning from past experiences.
Security experts say that while the app’s updated protections improve safety, users should remain cautious and use unique, strong PINs. Experts also recommend enabling device-level security features, such as biometric locks, to provide an extra layer of protection in case of device theft or unauthorized access.
Messaging apps are increasingly targeted by attackers because they store sensitive personal data. The Freedom Chat case highlights the importance of robust backend security, proper vulnerability reporting mechanisms, and ongoing audits to ensure that security claims match real-world protections. Users are advised to update to the latest version of Freedom Chat to ensure their accounts remain secure and to reset their PINs if prompted.
Freedom Chat’s rapid response demonstrates the critical role of security research in protecting users. By identifying flaws before they can be exploited widely, researchers help app developers patch vulnerabilities and prevent potential privacy breaches. For users, staying informed about updates and security practices remains essential for maintaining digital safety.
