Nothing Fixed CMF Watch App Vulnerability That Could Expose Email Addresses, s: Report 2c604e

shut down amid allegations that the service did not encrypt messages and media as d by Nothing and its partner Sunbird.

9to5Google contributor Dylan Roussel, in a recent a thread on X (formerly Twitter), explained that the CMF Watch app was encrypting both the email address and provided by s when g up for an — while allowing decryption of both the email and with the same keys. The publication reports that the means to decrypt information was also found in the Android app, which allowed anyone to view those details.

Back in September, Roussel had pointed out that the CMF Watch app was developed by Chinese firm Jingxun, and references to the firm were visible in the app. At the time, he pointed out that the company's website also lists OnePlus as one of its partners, alongside Sony, Philips, and Toshiba.

Months after the vulnerabilities were reported, CMF by Nothing told the publication that it is working to fix the security flaws pointed out by Roussel — the encryption method for a 's has reportedly been resolved, while the email address is still impacted by the flaw. The company told 9to5Google that an OTA update will be rolled out to CMF Watch Pro s to resolve outstanding issues.

According to the 9to5Google report, the company recently opened up different points of for vulnerabilities with both Nothing and CMF by Nothing products — these weren't available back in September when the flaws were being reported.

It is worth noting that Nothing was recently entangled in a privacy controversy when the company released its Nothing Chats app in beta, promising Nothing Phone 2 s access to Apple's proprietary iMessage service. After several issues with the privacy and security of the service were raised online — including handling of unencrypted messages and media by Nothing's partner Sunbird — the company pulled its app from the Play Store, while Sunbird also informed s it was pausing access to its own service.