A Freedom Chat security vulnerability exposed users’ phone numbers and PIN codes through two critical flaws disclosed today. The messaging app, charging $5.99 per month for “privacy-first” communications, marks founder Tanner Haas’s second catastrophic security failure. His previous app, Converso, was delisted from app stores in 2023 after researchers discovered it exposed private messages and encryption keys.
Security researcher Eric Daigle discovered the vulnerabilities, which enabled systematic enumeration of registered user phone numbers and broadcast users’ PIN codes to everyone in public channels. According to TechCrunch’s exclusive report, anyone in Freedom Chat’s default channel could see the PINs of every other user simply by inspecting network traffic.
When Privacy Apps Aren’t Private
The irony cuts deep with this Freedom Chat security vulnerability. Freedom Chat markets itself as a premium privacy solution—$6 per month or $53 annually—promising end-to-end encryption, no message storage on servers, and no commercial data use. The app touts screenshot protection and self-destructing messages as premium features.
However, it lacked something far more fundamental: a vulnerability disclosure program. Daigle discovered the flaws last week but had no official channel to report them. Freedom Chat provides no public way for security researchers to responsibly disclose vulnerabilities—a glaring red flag for any app positioning itself as “privacy-first.” Ultimately, the researcher contacted TechCrunch to facilitate the disclosure.
This pattern should sound familiar. It’s the same playbook as Converso.
History Repeats for Second Time
Converso, Haas’s previous venture, collapsed in May 2023 after security researcher Crnković discovered it exposed encrypted message contents, private encryption keys, message metadata, and user phone numbers. Despite marketing claims of “completely untraceable communication” that even “the FBI can’t crack,” the app’s encryption was fundamentally broken.
After the disclosure, Converso scrubbed all end-to-end encryption claims from its website. Moreover, Haas’s response raised eyebrows. According to Crnković, “The founder of Converso, Tanner Haas, tells me that he and his ‘legal team’ have a problem with my article, and recommends I remove it.”
Two apps. Two major messaging app security failures. The pattern suggests not a one-time implementation error, but a fundamental knowledge gap in building secure systems. When Signal offers military-grade encryption for free, why would anyone pay $6 monthly for a founder’s second attempt?
Privacy Theater vs. Real Security
Security experts call this “privacy theater”—giving users a feeling of improved privacy while doing little to actually deliver it. Furthermore, the term, analogous to “security theater,” describes countermeasures that look impressive but provide minimal real protection.
The Freedom Chat security vulnerability reveals the gap between privacy marketing and security fundamentals. Consider what legitimate encrypted messaging platforms provide:
- Signal, the gold standard, offers end-to-end encryption by default, collects virtually no data (only phone number and account creation date), stores no messages on servers, and makes all code open source for external auditing. It’s completely free.
- Telegram runs a bug bounty program paying researchers $500 to $100,000 for valid vulnerability reports, incentivizing security researchers to report issues rather than exploit them.
- WhatsApp, despite its Meta ownership and metadata collection issues, uses the peer-reviewed Signal Protocol and subjects itself to external security audits.
Freedom Chat? No vulnerability disclosure program. No bug bounty. No open source code. Just marketing claims and a founder with a track record of security failures.
The Researcher Who Keeps Finding Flaws
Eric Daigle, a computer science student at the University of British Columbia, has built a remarkable track record of discovering security vulnerabilities in privacy-focused apps. His discoveries in 2024-2025 include the Catwatchful stalkerware breach exposing 62,050 accounts, the iSharing location tracking flaw, and the bizarre discovery of pcTattletale spyware running on Wyndham hotel check-in systems.
Daigle’s method is telling: discover vulnerability, attempt to contact the company, and when there’s no response or disclosure program, contact TechCrunch. Notably, the fact that he repeatedly encounters apps with no vulnerability reporting mechanisms reveals how many “security” companies skip basic industry practices.
Don’t Build Your Own Crypto
The fundamental lesson from Haas’s repeated failures: don’t build your own encryption unless you truly understand what you’re doing. The Signal Protocol exists, is open source, and has been extensively peer-reviewed by cryptography experts. Consequently, WhatsApp, Facebook Messenger, and dozens of other apps use it successfully.
CISA’s recently updated mobile communications guidance emphasizes that “no single solution eliminates all risks,” but recommends established platforms with proven track records. Building secure messaging is extraordinarily difficult. Getting it wrong twice suggests it’s time to stop trying.
Freedom Chat has patched the vulnerabilities and reset all user PINs. The app remains available. Nevertheless, for users seeking genuine privacy, the question isn’t whether the latest patch holds—it’s whether you trust a founder who has now failed at secure messaging twice. When Signal exists and is free, the answer seems obvious.
Key Takeaways
- Freedom Chat security vulnerability exposed user PINs to all public channel members
- Founder Tanner Haas’s second messaging app to fail on security after Converso (2023)
- Privacy apps without vulnerability disclosure programs are red flags
- Free secure messaging alternatives like Signal offer superior security with proven track records
- Building custom encryption requires deep expertise—use established protocols instead
