A cybersecurity firm found critical vulnerabilities in a messaging application used by White House staffers, which could have allowed malicious hackers access to their conversations.
IOActive began conducting its investigation into Confide’s vulnerabilities in February and found that hackers could impersonate another user by hijacking an account session or guessing passwords, learn the contact information of all or specific Confide users, become an intermediary in a conversation and decrypt messages, and alter the contents of messages and attachments.
“Confide has already resolved the issues that IOActive highlighted in their report, and we have no detection of them being exploited by anyone else,” Jon Brod, co-founder and president of Confide, said in a statement. “Our security team is continuously monitoring our systems to protect our users’ integrity, and we were able to detect anomalous behavior during IOActive’s testing and resolve many of their issues in real time.”
Not all Confide users will be able to know if their conversations have been monitored or altered by hackers.
“We’re not aware of any reliable method to detect all disclosed attacks,” said Ryan O’Horo, senior security consultant for IOActive and co-author of the report.
MeriTalk previously reported that White House employees close to President Donald Trump have been using Confide to prevent the type of email hacking and release of information that occurred at the Democratic National Committee. Confide encrypts messages from end to end, allowing only the sender and receiver to read them. Once the message is read, it disappears.
IOActive found that the application’s notification system didn’t require a valid Secure Sockets Layer (SSL) server certificate to communicate, which would leak session information to hackers attempting a “man-in-the-middle attack.” An SSL is the technology that creates an encrypted link between a Web server and a browser. This link ensures that the data passed between the server and browser remains private.
“Say a target user is in a coffee shop using Confide on the public Wi-Fi,” O’Horo said. “An attacker on that same network can hijack the notification websocket connection to Confide because it specifically does not validate SSL certificates.”
The attacker can get into Confide’s network using a stolen authentication token and access the target user’s messages “far into the future, from any location,” O’Horo said.
“At that point, when a new conversation is created, in addition to the target user’s key, the attacker’s key is used to encrypt messages, and the attacker receives a copy of the messages they can decrypt from Confide,” O’Horo said. “If the attacker wants to be stealthy, they will prevent their client from sending a ‘read’ confirmation, which is Confide’s cue to delete the message from the server, so the target user will also receive the messages.”
Confide boasts “military grade end-to-end encryption,” which specific industries can take advantage of to keep their communications private. However, White House staffers must abide by the Presidential Records Act, which requires all presidential business to be documented and archived. Brod said that Confide expects users to abide by any records management laws that pertain to their industry.
IOActive found that users could send unencrypted messages and that the app didn’t notify users when unencrypted messages were received. The security firm also found that Confide didn’t use authenticated encryption, which would allow messages to be altered in-transit. Attackers also had the ability to send malware through messages.
Confide failed to prevent attacks on user account passwords and users were able to select short, easy-to-guess passwords.
Confide released an updated version of Windows on March 2, which fixed the problems that IOActive found in its report.
“As vulnerabilities arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance,” Brod said. “As a confidential messenger, privacy and security is at the heart of everything we do.”