Don't Confide? The App White House Leakers Love Could Have Exposed All Users

[steven36]

White House staffers or anyone using the Confide app to leak secrets, whether Trump's or otherwise, might want to tread carefully: professional hackers have found some serious weaknesses in the encrypted comms tool, potentially exposing reams of customer records. They could have allowed snoops to intercept messages or assume identities of users too, the researchers said.

 

The Confide app may have leaked a considerable amount of contact information, security researchers warned today.

 

 

White House staffers or anyone using the Confide app to leak secrets, whether Trump's or otherwise, might want to tread carefully: professional hackers have found some serious weaknesses in the encrypted comms tool, potentially exposing reams of customer records. They could have allowed snoops to intercept messages or assume identities of users too, the researchers said.

 

The issues were uncovered by IOActive, which released a report on Wednesday outlining numerous issues it rated "critical," affecting Confide for Android, Windows and Mac OS X. Exploiting the weaknesses allowed its whitehat hackers to access information on more than 7,000 users registered between February 22 and 24. "This data also indicated that between 800,000 and one million user records were potentially contained in the database," the report read. The researchers believe they could have acquired contact details of all Confide users thanks to the vulnerabilities.

 

Confide said it'd now fixed the issues, but concern around the safety of the tool remains. "Our security team is continuously monitoring our systems and we were able to detect anomalous behavior and remediate many of the issues during IOActive's testing in real time. Not only have these issues been resolved, but we also have no detection of them being exploited by any other party," said co-founder and president Jon Brod, in an email to Forbes. "Privacy and security is always an ongoing process. As issues arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance."

 

A slew of vulnerabilities

IOActive named 11 separate issues with Confide. Amongst the most severe resided in the way Confide handled accounts. For instance, the app allowed an attacker to continuously query the Confide server to enumerate all user accounts, including real names, email addresses and phone numbers. It also failed to stop brute-force attacks on passwords, meaning hackers could have made as many guesses as they liked to break into an account. That problem was only made worse by the fact that users were allowed to choose "short, easy-to-guess passwords," IOActive said.

 

There were issues with the app's cryptography too, the security researchers said. The application's notification system did not issue an alert when an invalid web encryption certificate was used by a server. Any hacker able to intercept a Confide communication could therefore pose as a legitimate party and potentially grab messages intended for a legitimate recipient. There was also no indication when unencrypted messages were sent.

 

Confide itself, or someone who'd gained access to Confide services, could also act as a so-called "man-in-the-middle" as the researchers were unable to find working authentication on top of the encryption. And it was possible to crash the app by sending it malformed code.

 

Researchers from Quarkslab also showed off Confide exploits Wednesday, found much the same, adding that the app didn't notify users when encryption keys were changed. Ultimately, Quarkslab said the "Confide server can read your messages by performing a man-in-the-middle attack." The company plans to release more information on techniques to prevent other security measures - screenshot prevention and message deletion - from working correctly.

 

In response to Quarkslab's findings, Brod added: "The researchers intentionally undermined the security of their own system to bypass several layers of Confide's protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place. Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app.

 

"Like with Apple's iMessage and other end-to-end encrypted messengers, it is theoretically possible that we could man-in-the-middle attack ourselves. Obviously, we would never do this. We will also soon be releasing an update that adds support for independent fingerprint verification, further ensuring that conversations are end-to-end encrypted and that only the intended recipients can read their messages."

 

That White House staffers and other Republicans on Capitol Hill were using Confide to leak information from the Donald Trump administration became apparent in February reports. It later emerged in Buzzfeed that Trump's own press secretary Sean Spicer had briefly used the app to talk to a reporter.

 

Many security experts, as well as congressmen Ted Lieu and Don Beyer, have recommended whistleblowers use other encrypted apps, such as Telegram, WhatsApp and Signal. The latter remains the number one choice for secure communications amongst cryptography experts and for the best-known leaker in the world, Edward Snowden.

 

By Thomas Fox-Brewster

https://www.forbes.com/sites/thomasbrewster/2017/03/08/vulnerabilities-in-confide-white-house-trump-leaks/