Sunbird, the partner of messaging platform Nothing Chats, has announced a temporary suspension of its service due to ongoing security concerns. The company gained attention recently when it joined forces with smartphone manufacturer Nothing to support their iMessage-compatible chat application for Android. Users of the app, which allows for conversations across multiple platforms such as WhatsApp, Instagram, and iMessage, received a notification indicating that further updates would be shared soon.
This weekend, Sunbird communicated its decision via a notification: “Dear Sunbird User. We have decided to pause Sunbird usage for now while we investigate security concerns. We will update you when we are ready to proceed.”
In another notification to users, the company expressed, “Good afternoon everyone. We are investigating the security issues raised in the last 24 hours. In an abundance of caution and to protect your confidential data, we are shutting down Sunbird media temporarily. We will keep you posted. Thank you & sincere apologies for the inconvenience.”
The shutdown of the Sunbird app follows shortly after Nothing removed its highly anticipated Nothing Chats app from the Google Play Store. The app was designed to enable messaging with iPhone users via Apple’s iMessage service on the Nothing Phone 2. Both Nothing Chats and Sunbird, which had previously been available to alpha testers, relied on Sunbird’s infrastructure.
Reports emerged over the weekend from 9to5Google, detailing significant vulnerabilities in the Nothing Chats service. It was revealed that Sunbird had the capability to access all messages and attachments sent and received via the app, as this data was not secured. Users are required to log in with their Apple ID, allowing access to iMessage through a server farm operated by the company.
Sunbird has access to every message sent and received through the app. They do this by abusing @getsentry, which is used to monitor errors.
But Sunbird logs messages, pretending they are errors.
Here are part of the requests (img 1, 3) and their entire “message” (img 2, 4) pic.twitter.com/pzwwQVWfOb
— Dylan Roussel (@evowizz) November 18, 2023
Additionally, competing messaging service Texts.com issued a blog post that outlined numerous security vulnerabilities within Sunbird’s platform. They even provided evidence demonstrating how Sunbird’s claim of end-to-end encryption was inaccurate, as plaintext versions of messages were easily retrievable.
While Nothing has halted access to its Nothing Chats app, Sunbird’s service suspension aims to address the various privacy and security issues currently troubling the platform. Uncertainty remains regarding when users of the Nothing Phone 2 will regain access to the service.
With Apple set to introduce support for RCS messaging in 2024, improvements to communication between iOS and Android users seem imminent, potentially alleviating the need for additional third-party messaging applications.
