Nothing Addresses CMF Watch App Vulnerability Potentially Exposing Email Addresses and Passwords, According to Report

Nothing Resolves Security Issue in CMF Watch App, No Longer Exposing Encrypted Passwords; Further Fixes in the Pipeline.

Nothing — the UK startup led by OnePlus Co-Founder Cal Pei — recently rolled out a partial fix for a security vulnerability that affected the companion app for the CMF Watch Pro, according to a report. The encryption-related flaw was capable of exposing email addresses and passwords used to sign up for an account. The issues have come to light weeks after Nothing’s iMessage-on-Android app was shut down amid allegations that the service did not encrypt messages and media as advertised by Nothing and its partner Sunbird.

9to5Google contributor Dylan Roussel, in a recent a thread on X (formerly Twitter), explained that the CMF Watch app was encrypting both the email address and password provided by users when signing up for an account — while allowing decryption of both the email and password with the same keys. The publication reports that the means to decrypt user information was also found in the Android app, which allowed anyone to view those details.

> So what’s the problem? Back in September, the CMF Watch app was encrypting both the email and password, which was great!
>
> But the encryption method used also allowed anyone to decrypt the email and password with the exact same keys. > > — Dylan Roussel (@evowizz) December 1, 2023

Back in September, Roussel had pointed out that the CMF Watch app was developed by Chinese firm Jingxun, and references to the firm were visible in the app. At the time, he pointed out that the company’s website also lists OnePlus as one of its partners, alongside Sony, Philips, and Toshiba.

“After months of being reported, CMF by Nothing acknowledges security flaws highlighted by Roussel. While the encryption method for user passwords has been reportedly resolved, the email address remains susceptible. An OTA update is in the works for CMF Watch Pro users to address lingering issues. The company has recently established points of contact for vulnerabilities in both Nothing and CMF by Nothing products. This development follows a previous privacy controversy involving Nothing’s beta release of the Nothing Chats app, which promised access to Apple’s iMessage service. Due to concerns about privacy and security, the app was removed from the Play Store, and Sunbird, Nothing’s partner, temporarily halted access to its service.”