Messaging app used by Trump aides 'riddled with security bugs'

Devs patch after researchers Confide in them about encrypted app's issues

Security researchers have discovered multiple vulnerabilities in Confide, the encrypted messaging app reportedly used by President Donald Trump's aides to speak to each other in secret.

IOActive reported flaws it had discovered in Confide to the app's developers, who responded promptly by patching the application, allowing IOActive to go public with a run-down of the recently resolved security weaknesses on Wednesday.

IOActive security researchers Mike Davis, Ryan O'Horo, and Nick Achatz said they uncovered the flaws after testing Confide version 1.4.2 for Windows and OS X, 4.0.4 for Android by reverse-engineering the published application, observing its behaviour, and interacting with the public API. Security problems identified in the app fell under four major areas, which they claimed included:

  • HTTPS: The application’s notification system did not require a valid SSL server certificate to communicate, creating a possible mechanism for Man-in-the-Middle attacks.
  • Messaging: Unencrypted messages could be transmitted, and the user interface made no indication when unencrypted messages were received, they said. The application uploaded file attachments before the user sent the intended message.
  • Account Management: The unpatched application allowed an attacker to mine all Confide's user accounts, including real names, email addresses, and phone numbers. The application failed to adequately prevent brute-force attacks on user account passwords. Users were permitted to choose short, easy-to-guess passwords.
  • Website: The application’s website was vulnerable to arbitrary URL redirection, a weakness that might be abused to run social engineering attacks against its users.

These various vulnerabilities open the way up to all manner of malfeasance, including but not limited to impersonating another user by hijacking their account session, commandeering accounts after running a brute-force attack to guess passwords, harvesting the contact details of targeted users, eavesdropping on chats, and altering the contents of a message or attachment in transit without first decrypting it.

In response to queries from El Reg, Confide confirmed the now resolved vulnerabilities, adding that it had not uncovered any evidence that these flaws had been used to target users of the mobile messaging app.

As a confidential messenger, privacy and security is at the heart of everything we do. Our security team continuously monitors our systems to protect our users' integrity, and we were able to detect anomalous behavior and remediate many of the issues in real time during IOActive's testing starting on February 24.

We were able to quickly address the remaining issue after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. Privacy and security is always an ongoing process. As vulnerabilities arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance.

Confide releases an updated Windows client (1.4.3), which includes fixes for the critical issues identified by IOActive on 3 March. IOActive notified Confide on problems uncovered in its testing late last month, a prompt response praised by IOActive.

IOActive's advisory on its research into vulnerabilities in Confide can be found here. ®

Broader topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022