Messaging app used by Trump aides 'riddled with security bugs'

Security researchers have discovered multiple vulnerabilities in Confide, the encrypted messaging app reportedly used by President Donald Trump's aides to speak to each other in secret.

IOActive reported flaws it had discovered in Confide to the app's developers, who responded promptly by patching the application, allowing IOActive to go public with a run-down of the recently resolved security weaknesses on Wednesday.

IOActive security researchers Mike Davis, Ryan O'Horo, and Nick Achatz said they uncovered the flaws after testing Confide version 1.4.2 for Windows and OS X, 4.0.4 for Android by reverse-engineering the published application, observing its behaviour, and interacting with the public API. Security problems identified in the app fell under four major areas, which they claimed included:

• HTTPS: The application’s notification system did not require a valid SSL server certificate to communicate, creating a possible mechanism for Man-in-the-Middle attacks.
• Messaging: Unencrypted messages could be transmitted, and the user interface made no indication when unencrypted messages were received, they said. The application uploaded file attachments before the user sent the intended message.
• Account Management: The unpatched application allowed an attacker to mine all Confide's user accounts, including real names, email addresses, and phone numbers. The application failed to adequately prevent brute-force attacks on user account passwords. Users were permitted to choose short, easy-to-guess passwords.
• Website: The application’s website was vulnerable to arbitrary URL redirection, a weakness that might be abused to run social engineering attacks against its users.

These various vulnerabilities open the way up to all manner of malfeasance, including but not limited to impersonating another user by hijacking their account session, commandeering accounts after running a brute-force attack to guess passwords, harvesting the contact details of targeted users, eavesdropping on chats, and altering the contents of a message or attachment in transit without first decrypting it.

In response to queries from El Reg, Confide confirmed the now resolved vulnerabilities, adding that it had not uncovered any evidence that these flaws had been used to target users of the mobile messaging app.

As a confidential messenger, privacy and security is at the heart of everything we do. Our security team continuously monitors our systems to protect our users' integrity, and we were able to detect anomalous behavior and remediate many of the issues in real time during IOActive's testing starting on February 24.

We were able to quickly address the remaining issue after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. Privacy and security is always an ongoing process. As vulnerabilities arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance.

Confide releases an updated Windows client (1.4.3), which includes fixes for the critical issues identified by IOActive on 3 March. IOActive notified Confide on problems uncovered in its testing late last month, a prompt response praised by IOActive.

IOActive's advisory on its research into vulnerabilities in Confide can be found here. ®