Security Flaws In Freedom Chat App Exposed Users’ Phone Numbers And PINs

Freedom Chat Security Flaws Put Users at Risk

Messaging app Freedom Chat has patched critical security flaws that exposed users’ phone numbers and PIN codes. Launched in June 2025 as a “secure messaging app,” Freedom Chat promised private phone numbers and secure access through user-set PINs. However, a recent discovery revealed serious vulnerabilities, raising concerns about data safety for early adopters.

Credit: Getty Images

Security researcher Eric Daigle discovered the flaws last week and shared the details with TechCrunch after Freedom Chat lacked a formal vulnerability disclosure process. Daigle’s findings showed that both phone numbers and PINs could be accessed using relatively simple techniques, putting thousands of users at risk.

How the Vulnerabilities Worked

Daigle explained that Freedom Chat’s servers allowed anyone to submit millions of phone number guesses to determine if a number was registered. This vulnerability made it possible to enumerate the phone numbers of nearly 2,000 users who had signed up since the app’s launch.

The technique is similar to a method recently highlighted by researchers at the University of Vienna, who matched billions of phone numbers to scrape data from WhatsApp accounts. This raises concerns about the broader risks of phone number enumeration in messaging apps that claim security.

PIN Exposure Across Public Channels

In addition to phone numbers, Freedom Chat was leaking user PINs. Using an open-source network traffic tool, Daigle discovered that any user in the app’s default public channel could see the PIN codes of others in the same channel—even if the PINs were hidden within the app interface.

This flaw meant that someone with access to the public channel could theoretically unlock another user’s app if they had physical access to the device. While messages themselves were not at risk, the exposure of authentication credentials represented a significant security concern.

Freedom Chat’s Response

Upon being alerted, Freedom Chat founder Tanner Haas confirmed that the company has addressed the vulnerabilities. User PINs were reset, and a new app version was released. The company also removed instances where phone numbers could be displayed and implemented rate-limiting on servers to prevent mass-guess attacks.

In an app store update, Freedom Chat stated: “A critical reset: A recent backend update inadvertently exposed user PINs in a system response. No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible externally.”

No Public Security Reporting Channels

One notable issue highlighted by this incident is the absence of a public vulnerability disclosure program at Freedom Chat. Security researchers often rely on such programs to report flaws safely and confidentially. Daigle noted that TechCrunch’s notification was the only way the company learned about the vulnerabilities.

Experts say the lack of formal reporting channels can delay crucial fixes and put users at prolonged risk. As secure messaging apps become more popular, transparency around security practices is increasingly important for user trust.

The Risk of Phone Number Enumeration

Phone number enumeration is a technique that has been exploited in multiple messaging platforms. By guessing or systematically generating phone numbers, attackers can identify active accounts and potentially target them for scams or phishing attempts.

Daigle’s analysis showed that Freedom Chat’s servers were particularly vulnerable to such automated attacks. While the app now limits guesses, the incident demonstrates how even apps marketed as “secure” can harbor hidden risks.

Lessons From the WhatsApp Comparison

Daigle referenced a University of Vienna study in which researchers scraped data on 3.5 billion WhatsApp users through similar enumeration techniques. While Freedom Chat’s scale was smaller, the method mirrored a known weakness in messaging platforms worldwide.

The comparison emphasizes the importance of proactive security measures, including rate-limiting, encryption, and internal monitoring, to prevent mass-data exposure.

What Users Should Do

Users of Freedom Chat are advised to update to the latest version immediately and ensure that any new PINs are unique and hard to guess. Resetting credentials and remaining cautious of public channels can reduce potential risks.

While messages were never exposed, awareness and proactive action remain essential for users of any messaging platform. Security experts often recommend avoiding default public channels when possible and using multi-layered authentication.

The Importance of Secure Messaging

This incident highlights a broader industry challenge: ensuring true security for private messaging. Apps that market themselves as “encrypted” or “private” must continuously audit systems to prevent accidental exposure of critical user data.

Transparency, prompt patching, and clear reporting mechanisms are now seen as minimum requirements for apps that handle sensitive personal information. Freedom Chat’s quick response prevented a larger breach, but early users still faced unnecessary risks.

Looking Ahead for Freedom Chat

The app’s founder, Tanner Haas, has committed to further hardening backend security. Rate-limiting, PIN resets, and removal of phone number leaks are immediate steps. However, building user trust will require ongoing transparency and a formal security reporting system.

Security researchers and users alike will likely monitor Freedom Chat closely to see if it can live up to its “secure messaging” promise in the long term.

Security Cannot Be an Afterthought

Freedom Chat’s PIN and phone number flaws serve as a reminder that even small vulnerabilities can compromise user trust. While the app now addresses these issues, it underscores the importance of security-first design and proactive vulnerability management in messaging apps.

For users seeking private communication, staying informed and updating apps promptly remains essential. The Freedom Chat incident illustrates that privacy claims alone are not enough—robust security measures and transparent practices are what truly protect users.