Confide, the secure messaging app reportedly employed by President Donald Trump's aides to speak to each other in secret, promises "military-grade end-to-end encryption" to its users and claims that nobody can intercept and read chats that disappear after they are read.
However, two separate research have raised a red flag about the claims made by the company.
Security researchers at Seattle-based IOActive discovered multiple critical vulnerabilities in Confide after a recent audit of the version 1.4.2 of the app for Windows, Mac OS X, and Android.
Confide Flaws Allow Altering of Secret Messages
The critical flaws allowed attackers to:
- Impersonate friendly contacts by hijacking an account session or guessing a password, as the app failed to prevent brute-force attacks on account passwords.
- Spy on contact details of Confide users, including real names, email addresses, and phone numbers.
- Intercept a conversation and decrypt messages. Since the app's notification system didn't require any valid SSL server certificate to communicate, a man-in-the-middle attacker can potentially grab messages intended for a legitimate recipient.
- Alter the contents of a message or attachment in transit without first decrypting it.
- Send malformed messages that can crash, slow, or otherwise disrupt the application.
Exploiting the weaknesses allowed the researchers to gain access to more than 7,000 account records created over the span of two days (between February 22 and 24), out of a database containing between 800,000 and 1 Million records.
Flaw Exposed Details of a Trump Associate and Several DHS Employees
Out of just that 2-day sample, the researchers were even able to find a Donald Trump associate and several employees from the Department of Homeland Security (DHS) who downloaded the Confide app.
IOActive researchers Mike Davis, Ryan O'Horo, and Nick Achatz responsibly disclosed a total 11 separate issues in Confide to the app's developers, who responded immediately by patching the app.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
In addition to this, researchers from Quarkslab also showed off Confide exploits Wednesday after analyzing the app's code.
The researchers discovered a series of design vulnerabilities in the Confide for iOS app, which could allow the company to read user messages, adding that the app didn't notify users when encryption keys were changed.
Even, The Company Can Read Your Messages
According to the researchers, "Confide server can read your messages by performing a man-in-the-middle attack," and other security features of the app, such as message deletion and screenshot prevention, can also be defeated.
"The end-to-end encryption used in Confide is far from reaching state of the art," the researchers said. "Building a secure instant messaging app is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning."
Quarkslab researchers said the company server could generate its own key pair, meaning that the company has the ability to transmit the public key to a client when requesting the public key of a recipient.
"This client then unknowingly encrypts a message that can be decrypted by the server," the researchers added. "Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient."
In response to Quarkslab's findings, Confide co-founder and president Jon Brod said:
"The researchers intentionally undermined the security of their own system to bypass several layers of Confide's protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place. Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app."
Confide has rolled out an updated version of its app which includes fixes for the critical issues, and assured its customers that there wasn't any incident of these flaws being exploited by any other party.
Confide is one of those apps which, unlike other secure messaging apps, keeps its code private and until this time, offered little or no detail about the encryption protocols used in the app.
For more details about the vulnerabilities in Confide, you can head on to IOActive's advisory and Quarkslab's Blog.