Palringo has severe security issues

Many iPhone users are happy that there is finally an instant messaging client that claims to support all the important services like ICQ, MSN, Gtalk, Yahoo-Chat and so on. So was I, and happily installed Palringo today. But after a short while the happiness was gone. It was already suspicious from the beginning that you have to register an account with Palringo before being able to use it. After a short investigation I knew why.

In fact the Palringo client on the iPhone does not support any of the aforementioned services. All the client is doing is setting up a connection to a server (echo.palringo.com:38535), which then connects to the different services you want to use. This implies several security issues.

First, this means that Palringo is storing all your passwords of the different IM services you are using, and this is dangerous. For many services, like Google or MSN, these passwords are not only used for the chat system, but might also be used for your personal email account or even credit card payments! Are you sure you wanna share that with some random company? Beside that they can read all of your communication. (At least if you don’t use end-to-end encryption.)

But this is not the whole story. What really bothers me is that this connection from the iPhone to the Palringo server is completely unencrypted and plain text! Since the iPhone exclusively uses wireless technologies this is particularly severe. It means that everybody in your vicinity can very very easily intercept all of your communication and all your passwords as well. Remember, the same passwords might be used for your personal email or credit card payments. You don’t want that. 

So please do yourself a favor and don’t use Palringo! (At least not the current version.)

9 thoughts on “Palringo has severe security issues

  1. As of 20 minutes ago, Apple have finally approved the 1.1 update to Palringo. This enables full encryption for sensitive user details such as passwords.

    Palringo’s servers do not store unencrypted versions of passwords, and do not store messages which are relayed to MSN/ICQ/AIM/etc.

    Our privacy policy is available on our website and details our use of details provided to us by our users – it’s not as alarming as this post makes it out to be.

  2. @Martin: Ok, so what do we still have in the new version: Everybody can see our conversation and Palringo knows all our passwords. That’s a bit better, but far from being good.

    Your privacy policy just tells what you do with the information, not what information you will gather. The users just don’t expect, that all their passwords are disclosed to Palringo.

    If you want to offer a fair and acceptable product, you should use a full SSL tunnel to your server and explicitly clarify to the users, that all the IM traffic and all passwords will be forwarded to your server.

  3. @Sveenie: Users face the same issues when using official MSN/ICQ/AIM clients – it is not industry standard practice to encrypt data other than passwords.

    Palringo’s servers act as a proxy/gateway to other services, which provides better resilience to intermittent connectivity problems and will allow us to implement push notifications in the near future. We do not log traffic data we relay, and the sole design rationale behind our architecture has been to provide a better user experience.

  4. @Martin: that’s not true. For XMPP/Jabber/Gtalk, what I’m mainly using, full encryption IS standard. So for me this would be clearly a step back.
    Of course you are free to convince your potential users that your intentions are good, but first you have to give them the choice by clearly stating how it works. But you don’t, since you fear that users will have doubts if it is such a good idea to give all their passwords to a third party. And instead of addressing these doubts you just don’t mention it.
    To be fair: MobileChat is relaying over their proxy as well, but I don’t know about encryption. I cannot check it out, since I don’t want to pay money for it.

  5. BTW: Google (Gtalk) states in the Terms of Service:
    6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.
    How can a Palringo user do that, if he doesn’t even know, that he/she gives the password to a third party?

  6. I have seen exactly the same problem with ebuddy.

    So… is there any WLM/MSN Client secured ?

    Thanks

  7. Martin always did like arguing on the wrong end. heard he spends his days in Jamaica with the reefers.

  8. @Martin: “All we have ever done was try to make a better experience for users.” Random barrs, terrible choice in support community moderators, allowing people like Phoenix to get people barred for disagreeing with him… Some “better experience” all right.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.