Bolo Messenger: Twitter Duel Reveals Kimbho-like Security Flaws

Sequels seldom live up to the hype. But the newly launched Bolo Messenger App has managed to garner the same level of buzz as the Kimbho App – its earlier version. And again, for all the wrong reasons.

The launch of the Bolo app on Friday, 13 July, spurred a cheeky Twitter battle between two adversaries. An anonymous French security researcher, who goes by the moniker Elliot Alderson, had punctured holes in Kimbho’s security design and has now flagged major flaws in the Bolo Messenger app. This happened after Aditi Kamal, the developer of Kimbho and now Bolo, challenged him to find weaknesses in the new app on Twitter.

Kamal, speaking to The Quint, denied the validity of the flaws. “Security is our No.1 priority and we aim to excel in this area,” she said, adding that “there have been numerous attacks on our systems from all over the world – the Netherlands, England, France, China, America – and they all failed.”

We bring you a blow-by-blow account of the Twitter duel and an analysis of the security flaws flagged by Alderson.

Elliot Alderson vs Aditi Kamal

This is what Aditi Kamal tweeted: “Hi @fs0c131 (Alderson’s twitter handle) Try your hacking skills on this swadesi version. #swadesiaditi #challenge #nojoke”

Alderson, who adopted his moniker from the vigilante hacker protagonist of the popular series ‘Mr Robot’, said “Challenge Accepted!” in response to Kamal’s tweet and then proceeded to detail in a tweet thread the first major flaw he discovered.

Flaw 1

Alderson, in a thread of ten tweets explained with screenshots of the API how when one sends a text, the app checks whether the recipient is online and when she was last active on the app. The access to this metadata counts as an invasion of user privacy because people outside of your contact list can potentially monitor your movements on the app.

Kamal, though, didn’t seem impressed with the comeback and offered her own counter-punch. “I don’t need to be a PROGRAMMER to see WhatsApp status. Why would I write a hacking script for something I can do in simple two steps? Looking for something interesting,” she tweeted back.

Alderson, in his characteristic style, responded to Kamal’s counter by claiming that she had no idea about security, particularly in reference to her usage of the term, “hacking script”.

Alderson, in signing off from the bout with a mic-drop GIF, had a few words of advice.

The audience in the digital colosseum of Twitter who were witnessing the blows live had a few inputs of their own as well.

Security researchers The Quint got in touch with backed the validity of the claims made by Alderson. “What he is pointing to checks out. Moreover, the back end seems to be running a Jetty server without a load balancer or any front-end security capable of detecting intrusions or load limiting,” said V Anand, a security researcher and programmer based in Bengaluru.

Aditi Kamal’s response to The Quint: This was a privacy concern raised by him. However, like all other apps we have a setting to disable showing online status. This is similar to how WhatsApp and Gmail show the photo avatar and online status of unknown users with the provision of opt-out. However, to add extra layer of privacy, we have disabled people from viewing your status if not a friend, along with complete opt-out provision.

Flaw 2

In round two, Alderson added a face-palm emoji to make the blow more powerful.

Kamal, once again, stuck to her guns and provided a counter to Alderson’s expose. Before the bell went off at the end of the bout, Alderson had a few more parting words of advice.

Aditi Kamal to The Quint: Another concern raised was the ability to read his own notification token. However, this token is unique per user and is used to send notifications by our system to unique user (in this case, him). This is not a security threat at all and is confined to a unique user (which is him). Also, these tokens expire and are invalidated after some time. Still, since it was raised by a pro like him we addressed it and it is no longer accessible to anyone. She added that her security team is continuously reporting these attacks to the concerned authorities.

The website describes Bolo as “Bharat’s first swadesi messaging app” whose mission is to promote swadesi tech revolution and support the Make in India movement”. It is available on both Google Play and Apple App stores.

Expert Speak

Security experts, however, point to the fact that the Android API that apps like Bolo are built on has historically been found to contain bugs that allow hackers to spoof an app or extract data off them. “The important question here is that a responsible app would be aware of this aspect of Android and build an app that secures it against such threats. There is a possibility of clone Bolo apps that could surface and hackers could use the attack vectors flagged by Alderson but in different ways,” said Srinivas Kodali, a security engineer and internet researcher.

“Apps like Bolo may get away since most users are not aware of the underlying technology and could fall for it,” said a researcher who did not wish to be named.