Confide, the messaging app pitched as a secure communications platform for Washington, D.C.’s most high-powered political operatives, is finally under the security microscope.
Security researchers at Seattle-based IOActive found multiple critical vulnerabilities in Confide after it underwent a security audit for the first time in February.
The critical vulnerabilities impacting Confide include impersonating another user by hijacking an account session or by guessing a password, learning the contact details of Confide users, becoming an intermediary in a conversation and decrypting messages, and potentially altering the contents of a message or attachment in transit without first decrypting it.
Although the app has been pushed to headlines by a three-year-long marketing operation, the audit was the first time Confide’s team dealt with researchers’ taking apart the app. That means the vulnerabilities may have existed for years even as journalists and White House operatives used Confide for secure messaging.
IOActive researchers have privately told industry colleagues for several weeks to stop using Confide immediately. Ryan O’Horo, a managing security consultant for IOActive, appeared to call the vulnerabilities the most shocking security failures he’d seen in the wild.
You'll find out tomorrow. https://t.co/wGruDQz9jT
— Ryan O'Horo ⁉️ (@redteamwrangler) March 7, 2017
Officials at Confide and IOActive declined comment.
The vulnerabilities were fully disclosed to Confide a week ago, on Feb. 28. The security issues, which affected Confide on Android, Apple OSX and Windows, have been fixed.
The audit comes after Confide rose quickly in popularity as the secure messaging app of choice among reporters and political operatives who are increasingly paranoid about President Donald Trump’s administration’s attempted crackdown on leakers. But despite media attention and adoption by senior White House leadership — who are high-value targets for foreign spy agencies — it wasn’t until last month that security experts began to pick apart Confide’s claims of “military grade” encryption.
Unlike some other privacy software, Confide keeps its code private and until recently, offered little or no detail on the encryption protocols used in the app. The “military-grade” marketing claims could not be independently verified, prompting security experts to express extreme skepticism.
In an interview with CyberScoop, Alan Woodward, a professor at the University of Surrey, said Confide was “a triumph of marketing over substance.”
“It always worries me when someone starts by saying they use ‘military-grade encryption.’ That immediately makes me start to look for the snake oil,” Woodward said. “It sounds like sales puff over substance.”
An anonymous independent cybersecurity researcher told BuzzFeed News last month that his own investigation of the app found “a number of problems … we would not recommend this app to someone looking for secure messaging.”
Confide’s use by powerful people in Washington, D.C., is no accident. That’s exactly whom the company’s executives pitch the app to.
“If you think about the type of people who are great for Confide, it’s people who communicate a lot of sensitive information as a matter of course,” company co-founder Jon Brod said in an interview last month with online video network Cheddar. “Think about lawyers, journalists, media … management consultants, executives, boards of directors. Political operatives, regardless of which side of the aisle they fall on, fit nicely into that category.”
Confide, and apps that are more widely supported by security experts like Signal, were the subject of a surprise crackdown by Trump press secretary Sean Spicer last week who reportedly checked staffer’s phones for the app. The leak-check promptly leaked to the press. Just one week earlier, Spicer told Buzzfeed News that Confide was on his phone and that considered the apps he used to be a “private” matter.
With the new administration, a new wave of headlines on Confide’s broadening adoption sparked new interest and criticism for a distinct lack of transparency. In a similar situation, researchers have found vulnerabilities and heaped criticism on Telegram as that app has surpassed 100 million global users including U.S. federal government employees.
The full IOActive report can be found on the company’s website.