Confide, a three-year-old messaging app reportedly favored by White House officials and supposedly boasting “military-grade end-to-end encryption,” was so insecure it allowed attackers to impersonate friendly contacts, spy on contact information, and even alter messages in transit, according to a cybersecurity firm.
While Confide, dubbed the “Snapchat for business,” has since mostly fixed these insecurities after the firm, IOActive, contacted the company with its research, an attacker could have taken full advantage before this month, according to a report from IOActive security researchers Mike Davis and Ryan O’Horo.
Axios last month reported that paranoid White House staffers and top Republicans were shielding their communications using the app, which offers a disappearing message feature. The application also requires the user to scroll over each line of text individually to see the hidden message beneath — making it hard to screenshot the full text. BuzzFeed confirmed that White House press secretary Sean Spicer and White House director of strategic communications Hope Hicks had downloaded the app at some point in time.
After those reports emerged, Confide’s download numbers surged. Google Ventures, Billy Bush, SV Angels, and other big investors had already doled out more than $3 million to help create the app, which also syncs with iMessage for Apple users.
The application’s erasing messages raised concerns about whether or not federal employees who use the app for official business were breaking public records laws — which require them to preserve communications sent in their professional capacity.
But use of the app also prompted security concerns, as raised by the BuzzFeed report, which O’Horo and Davis have now explained in detail.
A malicious actor, according to the report, could hijack an app in use and pretend to be the account holder, change the contents of a message traveling to its recipient, gain access to someone’s Confide address book, easily guess a user’s password, or decrypt messages in transit.
That’s because of several technical flaws — including a failure to require a legitimate SSL certificate, which ensures that the server the app is communicating with is not an impersonator. Without the checks on SSL certificates, sensitive information could be intercepted by anyone sharing a network with a Confide user, for example, on a public WiFi network at a coffee shop.
The report also says Confide allows for brute force attacks — allowing someone to automate attempts to guess a password as many times as they want before cracking it, an attack that can be performed remotely. According to the report, the application also allowed messages to be delivered unencrypted.
The researchers were also able to gain access to 7,000 account records created over the span of two days, out of a database they estimated to contain between 800,000 and 1 million records. That gave them access to email addresses and real names. Out of just that two-day sample, O’Horo and Davis were able to find a Donald Trump associate and several Department of Homeland Security employees who downloaded the application.
“What we can say is that some of these attacks can be performed remotely. Some can be performed in a coffee shop near the victim. Some of them require Confide to act in bad faith or for an attacker to compromise Confide’s infrastructure,” O’Horo wrote in a text message to The Intercept. “None of which would be reasonably sophisticated,” he concluded.
In a statement to The Register, Confide said that “not only have these issues been addressed, but we also have no detection of them being exploited by any other party.”
Top photo: White House advisers Kellyanne Conway and Hope Hicks use their phones during the daily press briefing at the White House in Washington on Jan. 30, 2017.
IT’S EVEN WORSE THAN WE THOUGHT.
What we’re seeing right now from Donald Trump is a full-on authoritarian takeover of the U.S. government.
This is not hyperbole.
Court orders are being ignored. MAGA loyalists have been put in charge of the military and federal law enforcement agencies. The Department of Government Efficiency has stripped Congress of its power of the purse. News outlets that challenge Trump have been banished or put under investigation.
Yet far too many are still covering Trump’s assault on democracy like politics as usual, with flattering headlines describing Trump as “unconventional,” “testing the boundaries,” and “aggressively flexing power.”
The Intercept has long covered authoritarian governments, billionaire oligarchs, and backsliding democracies around the world. We understand the challenge we face in Trump and the vital importance of press freedom in defending democracy.
We’re independent of corporate interests. Will you help us?
IT’S BEEN A DEVASTATING year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
I’M BEN MUESSIG, The Intercept’s editor-in-chief. It’s been a devastating year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
Contact the author:
Latest Stories
The Intercept Briefing
“Me Too” Comes Back To Congress
Intercept staffers discuss the themes emerging this midterm election season.
Voices
Kash Patel Is Using MAGA’s Favorite Tool to Muzzle the Free Press
By suing The Atlantic for defamation, the FBI director is leveraging one of Trump’s legal tactics to tamp down free speech.
License to Kill
Trump Has Already Spent at Least $4.7 Billion Attacking Latin America
It’s not cheap to attack Venezuela and capture its president or conduct dozens of strikes on civilian boats.