How secure is Pushbullet content you push across your devices actually?
Pushbullet is an app most of us use everyday and is actually considered by many as the only alternative to Apple’s iOS Continuity. Most of us really take for granted the fact that such a popular and widespread app would protect the content we view/push over it. But how secure is that content actually?
It was by pure coincidence, that one day I pushed an image from one of my computers to another and found out that Pushbullet actually publishes all content you share “privately” across your devices on a public Internet server.
Here is the image in question:
Despite the fact that you are logged in to your account and are sharing content between your personal devices(not with someone else from your contacts) and for those of you who are a bit more security conscious – have an EndToEnd encryption passphrase setup, the files end up on the world wide web completely unprotected and up for grabs to everyone with the link.
Usually other sharing platforms explicitly ask for your permission, should you choose to share content with everyone via a public link, however in Pushbullet there is no mention anywhere that when pushing content from your phone to a computer, you are actually pushing it to the entire Internet.
Yes there is a hash in the above URL which is difficult to guess/sniff, since the server uses TLS, but once the content is out there, someone can/will find it.
Just for fun I scrolled through all the content I had pushed across my devices and was unpleasantly surprised to find out, that files I pushed long time ago are also publicly available to everyone, without an option from my side to remove them.
To quote Pushbullet:
End-to-end encryption means your data is encrypted before it leaves your device, and isn’t decrypted until it is received by another of your devices. This means we at Pushbullet only forward encrypted data. By setting up end-to-end encryption, you can be confident that your data is only readable when it’s shown to you.
Being a developer myself, I do understand what they mean by this, but it’s not what I/you/everyone observes with the above example.
PS: Prior to writing this post I notified Pushbullet about this security flaw, and thus far I have not received any response from them.