Confide – an app known to be preferred by white house staff officials, providing “military level end-to-end encryption” just revealed to be such vulnerable that attacker could access through and could also imitate friendly contacts, amend the messages in transit and spy on contact details, as told by a cyber security firm.
According to a report from IOActive security researchers Mike Davis and Ryan O’Horo, an attacker could have taken the full advantage until most of the vulnerabilities were fixed by confide, after the company IOAcive had contacted the app with its research.
Confide, offering a feature of disappearing message was reported to be used by white house staffers and prominent republicans, Axios reported last month. The application makes it difficult to screenshot full text as you have to you have to slide your fingers over text and it only captures a portion of the screen. By default, the app deletes messages after they are read. “We immediately delete them from our servers and wipe them from the device,” says Jon Brod, co-founder, and the company’s president.
Sean Spicer, the White House press secretary, and White House director of strategic communications Hope Hick had downloaded the app at some point, the BuzzFeed news confirmed.
After the revelation of these reports, the confide’s download numbers are raised. Investors like Google Ventures, SV Angel, and Billy Bush had raised more than $3 million to assist creating the app, which also syncs with iMessage for Apple users.
As reported by Buzzfeed, O’Horo and Davis have now interpreted the details about the security concerns prompted after using the app.
According to the report, an attacker could access to an app in use and appears to be an account holder and could perform malicious acts such as altering the content of a message, crack into someone’s confide book address, decrypt texts in transit or guess a user’s password.
The site becomes vulnerable because of technical loopholes such as nonexistence of legal SSL certificate that ensures the app communicator server is not a fake identity. Without keeping eye on SSL certificate, the sensitive data is prone to be intervened by someone who’s sharing a network with confide user.
The app also allows to deliver texts unencrypted and someone could guess the password by attempting it as many times as they want, the report further explains.
O’Horo and Davis have found the Donald Trump associate and several Department of Homeland Security employees, with app downloading. These were discovered from 7,000 account records which give them access to email addresses and real names, created in two days, out of a database they estimated to contain between 800,000 and 1 million records.
However, in a statement to The register, Confide said, “not only have these issues been addressed, but we also have no detection of them being exploited by any other party.”