A messaging app called Confide, reportedly mostly used by White House staffers due to its “military-grade end-to-end encryption,” appeared so insecure it allowed intruders to spy on contact information, impersonate friendly contacts and alter messages in transit. Once security researchers discovered these vulnerabilities, the company mostly fixed these insecurities, but it is known that an attacker could have taken full advantage before this month.
It was recently reported that many White House officials and top Republicans were trying to shield their communications using Confide, which offers a Snapchat-like erasing message feature. Confide also requires to scroll over each line of text individually to see the hidden message beneath, thus making almost impossible to screenshot the full text. It was confirmed that White House press secretary and White House director of strategic communications had both downloaded Confide. After this, the app’s download numbers surged, and a range of big investors, including Google Ventures, allocated over $3m to help create the app, which also syncs with iMessage for Apple users.
At the same time, the app’s disappearing messages raised concerns about whether federal employees were thus breaking public records laws, which require them to preserve communications sent in their professional capacity. Besides, use of Confide also raised security concerns, as hackers could hijack it in use and pretend to be the account holder. The malicious actors could then change the contents of a message traveling to the recipient, obtain access to a user’s address book, guess a password or decrypt messages in transit.
This was explained by a number of technical flaws, including a failure to require a legitimate SSL certificate. Besides, Confide allowed for brute force attacks, which enabled hackers to automate attempts to guess a password as many times as they want. Finally, Confide also allowed messages to be delivered unencrypted. The security researchers managed to gain access to 7,000 account records, which gave them access to email addresses and real names. The list contained a Donald Trump associate and several Department of Homeland Security employees who downloaded the app.