Confide, a three-year-old messaging app reportedly favored by White House officials and supposedly boasting “military-grade end-to-end encryption,” was so insecure it allowed attackers to impersonate friendly contacts, spy on contact information, and even alter messages in transit, according to a cybersecurity firm.
While Confide, dubbed the “Snapchat for business,” has since mostly fixed these insecurities after the firm, IOActive, contacted the company with its research, an attacker could have taken full advantage before this month, according to a report from IOActive security researchers Mike Davis and Ryan O’Horo.
Axios last month reported that paranoid White House staffers and top Republicans were shielding their communications using the app, which offers a disappearing message feature. The application also requires the user to scroll over each line of text individually to see the hidden message beneath — making it hard to screenshot the full text. BuzzFeed confirmed that White House press secretary Sean Spicer and White House director of strategic communications Hope Hicks had downloaded the app at some point in time.
After those reports emerged, Confide’s download numbers surged. Google Ventures, Billy Bush, SV Angels, and other big investors had already doled out more than $3 million to help create the app, which also syncs with iMessage for Apple users.
The application’s erasing messages raised concerns about whether or not federal employees who use the app for official business were breaking public records laws — which require them to preserve communications sent in their professional capacity.
But use of the app also prompted security concerns, as raised by the BuzzFeed report, which O’Horo and Davis have now explained in detail.
A malicious actor, according to the report, could hijack an app in use and pretend to be the account holder, change the contents of a message traveling to its recipient, gain access to someone’s Confide address book, easily guess a user’s password, or decrypt messages in transit.
That’s because of several technical flaws — including a failure to require a legitimate SSL certificate, which ensures that the server the app is communicating with is not an impersonator. Without the checks on SSL certificates, sensitive information could be intercepted by anyone sharing a network with a Confide user, for example, on a public WiFi network at a coffee shop.
The report also says Confide allows for brute force attacks — allowing someone to automate attempts to guess a password as many times as they want before cracking it, an attack that can be performed remotely. According to the report, the application also allowed messages to be delivered unencrypted.
The researchers were also able to gain access to 7,000 account records created over the span of two days, out of a database they estimated to contain between 800,000 and 1 million records. That gave them access to email addresses and real names. Out of just that two-day sample, O’Horo and Davis were able to find a Donald Trump associate and several Department of Homeland Security employees who downloaded the application.
“What we can say is that some of these attacks can be performed remotely. Some can be performed in a coffee shop near the victim. Some of them require Confide to act in bad faith or for an attacker to compromise Confide’s infrastructure,” O’Horo wrote in a text message to The Intercept. “None of which would be reasonably sophisticated,” he concluded.
In a statement to The Register, Confide said that “not only have these issues been addressed, but we also have no detection of them being exploited by any other party.”