“Super secure” messaging app leaks everyone's phone number

Original Article ↗ Hacker News Discussion ↗

Context: MAGA-Themed “Super Secure” App and Its Flaws

  • Thread centers on a MAGA-branded chat app (Converso/Freedom Chat) that exposes users’ phone numbers and even plaintext PINs via trivial API misuse.
  • Many see it as emblematic of “failure-as-a-feature” operations and grifty, low-quality products marketed as privacy tools.
  • Several note the app is barely used (tiny install counts), questioning whether it’s more a marketing stunt than a real platform.

Signal’s Design: Strengths and Limitations

  • Multiple comments contrast the app with Signal’s private contact discovery: SGX enclaves, ORAM-like lookup, constant-time equality, and remote attestation to hide which numbers match.
  • Acknowledged limits:
    • SGX is not perfect (side channels, need to trust attestation/verifier).
    • Signal’s metadata protection is “by policy,” not mathematically enforced; it still sees registration time and coarse login activity.
  • Some argue if you need stronger metadata privacy, use tools like Cwtch, Ricochet, Briar, etc.

Identifiers, Phone Numbers, and Threat Models

  • Heavy debate over requiring phone numbers at all:
    • Pro: excellent anti-spam and usability (viral contact discovery, easier onboarding).
    • Con: ties account to SIM/ID, enables global phone-number enumeration, and leaks that two people are Signal users.
  • Ideas floated: pairwise hashes for discovery, paid/crypto-based registration, PoW or CAPTCHAs, invite-only systems—each criticized as either user-hostile, ineffective at scale, or still linkable.

Other Messengers and Metadata Concerns

  • SimpleX, Matrix, DeltaChat, Telegram, and others discussed:
    • SimpleX criticized for IP exposure and centralized relays.
    • Matrix praised for federation and ongoing research into anonymous discovery (e.g. new protocols), though current hashed lookup has its own issues.
    • Telegram widely characterized as non-private and metadata-heavy.

Basic Security Hygiene and Developer Competence

  • Core failure here is 101-level: no rate limiting, unsafe APIs, serializing entire user objects (including PINs), and naive contact discovery.
  • Several lament “vibe coding”: devs using auto-serialization and cloud stacks without understanding rate limiting, data minimization, or common web vulns.

Hubris, Politics, and Expertise

  • A widely cited quote from the app’s creator (“we’re both smart, how hard can it be?”) is used to illustrate broader cultural distrust of expertise and overconfidence.
  • Political angle is contentious: some see MAGA’s anti-expert ethos as directly producing insecure tech; others argue breaches happen across the spectrum and want less politicization in the technical discussion.