Confide – White House Staff’s Favorite “Secure” Messaging App – Isn’t Really Secure
Confide, an app that touted itself for end-to-end encryption, recently made headlines when it was reported that the White House officials were using it for self-destructing messages. The app reportedly helped staffers to privately leak confidential information to the press and to communicate with each other without the risk of messages being leaked.
As reported in February, the three-year-old app saw 3x new user sign-ups over a week after the first reports of the Trump administration using the app came forward. "We do see a spike in across the board metrics when there is a major news cycle about the vulnerability of digital communications," Confide's co-founder and president Jon Brod had said.
The secure messaging app that was widely used by the White House staff claims that nobody can intercept and read messages after they are read. Turns out that the messaging app isn't as secure as it was advertised to be.
Confide is "riddled with bugs"
"After they [messages] are read once, they are gone. We delete them from our servers and wipe them from the device. No forwarding, no printing, no saving … no nothing," the app claims.
However, two independent security research teams have found several flaws in Confide, which actually enable the company to read user messages. The app could allow attackers to impersonate other users by hijacking their account session, or by guessing their passwords. Flaws also enabled researchers to become an intermediary in a conversation and decrypt messages.
Security researchers from Seattle-based cybersecurity firm IOActive discovered and reported several vulnerabilities to the app that have now been fixed. The researchers were also able to gain access to 7,000 account records created over the span of two days, giving them real names and email addresses of users. They estimated the database to contain between 800,000 and one million records. Out of this two-day data sample, research team spotted a President Trump associate and a number of Department of Homeland Security employees who had downloaded the app.
"The application failed to adequately prevent brute-force attacks on user account passwords," research team wrote. When asked by The Reg, Confide said that none of the reported flaws had been exploited.
We were able to detect anomalous behavior and remediate many of the issues in real time during IOActive's testing starting on February 24. We were able to quickly address the remaining issue after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party.
While the Confide team touted the app as everyone’s “confidential messenger," the company apparently didn't have any encryption experts on its team until last month, when it started receiving reports of these flaws.
Researchers at Quarkslab also found design flaws that could potentially allow attackers to intercept messages before decryption. Making a number of modifications to the client to analyze the Confide protocol, they said that the app's claims of message deletion and screenshot prevention can be defeated.
"The end-to-end encryption used in Confide is far from reaching the state of the art," researchers wrote. "Building a secure instant messaging app is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning."
In response, Brod said that "researchers intentionally undermined the security of their own system to bypass several layers of Confide's protection, including application signatures, code obfuscation, and certificate pinning."
"The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place," he added.
Confide's vulnerabilities come only a day after WikiLeaks released a number of documents on the CIA’s spying and hacking operations. As has been said multiple times since yesterday, apps that offer end-to-end encryption are essential for secure communications. However, if you do want your messages to be safe from interception, better stay away from Confide.