The popular instant messaging app Kik has launched a $3 million developer fund to build consumer apps that integrate its Kin cryptocurrency. An app in its program has recently been found to have been storing users’ passwords in plain text.
The security vulnerability, first disclosed by NuFi, was found in the app ‘Blaschat’ and didn’t just see it store passwords in plain text, but also emails and phone numbers associated with usernames. The app didn’t encrypt communications between devices.
Per the news outlet, this means those probing around on the app could have been able to collect its users’ usernames, passwords, emails, and phone numbers. The app’s creators also had access to the data.
The vulnerability has reportedly been present in the app since its release and, as soon as it was found, Blaschat was taken offline citing its Kin integration as the reason.
We have temporarily removed Blastchat from both app stores as we are working hard on our partnership with @kin_foundation to implement KIN into our app. In October users will earn crypto (KIN) for the time, energy, ideas, opinions, and creativity you share on Blastchat. 10/13/18!
— Blastchat (@joinblastchat) September 11, 2018
Later on, once The Next Web reported on the incident, Blaschat founder Jhamar Youngblood acknowledge the incident and published a Medium blog post detailing plans to secure the app, after wiping previously stored data.
Users who have been using the Blaschat app before it was taken down are advised to change their passwords on other websites. They’re also advised to change their email address on cryptocurrency-related platforms to prevent social engineering attempts and enabled two-factor authentication (2FA) on their accounts.
The Kin Foundation, the organization behind Kin’s developer fund, has also reacted to the incident. Through a Medium post, it noted its Kin cryptocurrency hadn’t yet been integrated into the app.
Moreover, it claims that even if it was integrated, Kin wallets wouldn’t be compromised as these are secured “at the SDK level.” The post reads:
So, while Blastchat users’ app-specific data may have been vulnerable, the Kin SDK does not allow extraction of private keys from the device, which means your Kin is secure even in the event of an app-specific security breach.
Other apps in its program are also set to be reviewed, to ensure users aren’t being exposed to other security vulnerabilities. Kin’s developer program will reportedly integrate the cryptocurrency into chosen apps on October 2, and submit them to Google Play and Apple’s App Store.
Kik itself already has a live Kin-related app on both app stores. Its Kinit app, as CryptoGlobe covered, rewards users with Kin for completing specific tasks, including quizzes and surveys. Earned tokens can then be used to buy gift cards and get other rewards.