Highlights:
- Check Point Research (CPR) found substantial security vulnerabilities that if exploited could provide attackers with control over the platform’s database, access to the user’s chat room conversations, influence user’s ranks and points, file sharing, and full access to Friend.Tech’s propriety info
- CPR shared its discoveries with the Friend.tech team, aiming to enhance the safety and security of the platform’s users’ experience
Friend.tech: Much more than another Social Media platform
Friend.tech represents more than a typical social media platform. It is one of the latest web3 platforms, which rely on blockchain and decentralized financial models. It operates as a decentralized ecosystem where a user’s popularity transcends mere likes and retweets – it’s transformed into tokens. Imagine it as a personality stock exchange, where value fluctuates in response to supply and demand dynamics. After connecting friend.tech’s user account with the corresponding X (formerly Twitter) account, the platform enables users to engage in the trading of popularity by purchasing and selling their “shares.”
Launched August 2023, the platform burst on the scene driving excitement from the web3 community and reporters. Within a relatively brief timespan, Friend.tech recorded an outstanding volume of 38,884 ETH, roughly amounting to $64.6 million, all distributed over 1.5 million transactions. Such performance didn’t merely garner attention; it solidified Friend.tech’s position, ranking it second in global on-chain protocol activity:
Holding shares goes beyond a financial endeavor – it’s a pathway to exclusive content and access. When you invest in shares of, let’s say, a Twitter influencer, you gain access to their unique content, a dedicated chatroom, and a direct messaging channel. In essence, it creates a tiered, token-driven system for fan interaction.
What truly enhances the value of these shares is the direct and unfiltered access they grant to the user. For Twitter personalities, the more esteemed you become, the more shareholders you draw in. This, in turn, amplifies the value of your social token.
However, as with all new things, there could be hidden flaws. While Friend.tech offers a unique way to profit from social interactions, one has to wonder: can it really keep our data safe? More importantly, can it ensure our chats remain private and out of reach from unwanted viewers? With the rise of decentralized social platforms, these concerns are crucial, reminding us that security matters in our digital world.
What did CPR find?
Our findings identified critical vulnerabilities that, if exploited, could give an attacker the ability to:
- Access Friend.tech’s database, providing unauthorized control over various functions, including the ability to download the entire database.
- Retrieve all private chats that are behind a paywall by default. This means that conversations, which are intended to be visible only to users who have paid, could be accessed and disclosed without authorization, which also includes files shared in the chat (images, videos etc)
- Modify database values directly, specifically – ranking “points” (that are earned by buying/selling user shares) which leads to a larger share of the future airdrop from friend.tech application.
Responsible disclosure and collaboration with Friend.tech
On September 5th, 2023, CPR shared its discoveries with the Friend.tech team, aiming to enhance the safety and security of the platform’s users’ experience. CPR recommends all users remain vigilant and keep best security practices top of mind.