TransWikia.com

Deauthorization Bug in messenger application - How serious is this?

Information Security Asked on October 28, 2021

My question refers to a behavior on a production system with more than 100 million chat users.

Some time ago I changed my account password and removed all devices connected to my account.
The next day I noticed that during the night I still received all messages addressed to me by push notification on my mobile phone.
Then I tried the same thing with another account and an emulated Android phone and ended up with the same results.

The app requires login data, but all private messages are still delivered to my deauthorized phone via push notifications.
The deuathorized devices no longer appear on the account page as connected devices.

After about a week of trying to explain to the support team what my problem is, it was finally taken more seriously.
However, they can’ t tell me what devices are connected to my account and who is able to read my messages right now. I was simply told that no suspicious behavior was noted.

I have been spying on my own messages from my mobile phone for over 5 months now.

Question 1: Do you have any idea what kind of problem this is and and how hard it is to write a fix for it?

Question 2: Could this situation possibly be applied to accounts that were never connected to the mobile phone?

Question 3: Who, apart from support, can I contact and how long should I wait until i approach someone else? I have already been informed that they might not get back to me.

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP