Private chats without any credit cards
There appears to be 2 types of bots which initiate chats with users, and send scripted exchanges and pictures.They are easily identified by both the received message content, and by the traffic which can be seen for that particular user in the exposed MQTT messages to many users in the system."[an] LBS and big data based overseas social application, [that] was launched to help users connect with new friends globally. 2019, Sweet Chat ranked Top 10 social apps in Latin America, the Middle East, etc., and has become one of the most popular stranger chat apps in many countries and regions around the world."With over over 800 Million users world wide, u Foto Soft, has a large potential Sweet Chat user base of between 1 Million (reported by Google Play) and 10 Million Play (reported on the u Foto Soft website) of impacted users.On a side note, when attempting to locate the company involved with the Sweet Chat application I noticed a discrepancy between the Google Play Store, and the website: Google Play:1 Stars Avenue, Singaporeu Foto Soft.com: No.18 Tangmiao Road, Xihu District Hangzhou, China Is u Foto Soft a Chinese or South Korena company? During a routine scan and data profiling of unsecured MQTT servers, I came across a beta server which was allowing unsecured subscriptions to various wildcard topics.Sweet Chat, an Android based chatting and photo sharing application with over 10 million users, has been exposing its users chat content, and photos on an unsecured server.
By Analyzing the timestamp of messages from these same Bots, you can observe it sending the exact same message about a dozen times within 2-3 seconds to different users on the system. You can see many users on the system attempt to converse with these System Actor Bots, and send them "gifts" which you pay for with a monthly subscription.Packet Capture is a great Mi TM tool for initial application analysis on Android, and while a bit dated, it can identify major problems with network communication security between an Android app, and its backend server.With a quick analysis, the following issues were identified with Sweet Chat: Other than confirming a few of the API endpoints and hostnames, the only item of note is the code which is used to sign each api call which can be used to create a 3rd party bot to emulate user responses.The "System Actor" Bots are so named, as it's evident by their exposed MQTT messages, that these Bots are run by u Foto Soft.Typical users, when creating an account will get a userid in the ranges of 4000000 - 7000000 or an 18 digit number starting with 3569xxxxxxxxxxxxxx.