Tango, the cross-platform video calling application, appears to following in the footsteps of iPhone's Path application when it comes to the poor management of private account data. (Not to be confused with the Windows Phone update, codenamed Tango.) Today, a reader wrote in detailing how the PC client (version 1.6.14117 at time of writing) allows one armed with simply a mobile number access to any Tango user's contact data -- and account -- by simply using the application in a specific manner. While we won't share exact details, we must admit it's not hard to figure out. And just a few months ago, Tango was discovered to be downloading contact details without permission.
Using the steps provided, we were able to download a colleague's Tango contact data, make Tango calls, and manage account details with ease. This possibly indicates that Tango's security code-based account validation is simply an arbitrary client-side check -- a big no-no.
Update: Tango let us know the issue has been fixed and an update has been pushed out to users. Kudos to the Tango team for the quick response.
