Security Holes Found in Confide Secure Messaging App

Researchers found some serious security gaps in Confide, a secure messaging app reportedly used by White House staffers, including the ability to impersonate contacts and alter messages in transit.

Confide promises end-to-end military-grade encryption and its messages self-destruct after they are read. “Even we at Confide cannot decrypt or see any messages. Yes, after messages are read once they disappear,” Confide’s website says.

But IOActive researchers identified a number of critical vulnerabilities in the app’s messaging, account management and website, including:

• Possibly of a man-in-the-middle attack because the application didn’t require a valid SSL server certificate, which would allow an attacker to impersonate other users.
• Unencrypted messages could be transmitted without indicating they weren’t encrypted.
• Some messages could be changed in transit because the app didn’t use authentication encryption.
• Users were allowed to select easy-to-guess passwords that could be cracked with brute-force attacks.
• An attacker could access email addresses and real names of Confide users. IOActive was able to get 7,000 records of people who signed up for the service Feb. 22-24, according to its report.
• The app’s website was also vulnerable to an attack that could allow social-engineering attacks against its users.

Confide moved quickly to fix the issues: IOActive notified Confide Feb. 28 and Confide released fixes March 2.

Confide CEO Jon Brod told Dark Reading the company found no indication the vulnerabilities had been exploited prior to the updates.