Researchers at IOActive have uncovered a number of serious security flaws in the Confide secure messaging app, some of which could allow an attacker to hijack a user’s session or impersonate a target user.
Confide is one of the group of encrypted chat apps that have emerged in the last few years and promises end-to-end encryption and self-destructing messages. But the team at IOActive discovered a group of vulnerabilities in the app that make users susceptible to a range of attacks that could result in account compromises, message disclosure, and other problems. The vulnerabilities are across a number of different areas in the app, but one of the main issues is the way Confide handles SSL certificates.
“The application’s notification system did not require a valid SSL server certificate to communicate, which would leak session information to actors performing a man-in-the-middle attack,” the IOActive bulletin says.
The researchers also found that Confide will send some messages in plaintext, which isn’t a desirable behavior for a secure messaging app. IN some cases, plaintext messages are sent and a recipient doesn’t get a notification telling him that a given message wasn’t encrypted. IOActive also found a separate issue that could allow Confide to intercept encrypted messages.
“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” the advisory says.
Confide has gained a lot of attention in recent weeks thanks to reports that staffers in the federal government, specifically the White House, have been using the app to circumvent monitoring by the Trump administration. Unlike Signal and other secure messaging apps, Confide doesn’t provide documentation on the encryption protocol it uses, saying only that it’s “military grade”.
IOActive notified Confide of their findings in late February and by the first week of March the company had mitigated the critical issues identified by IOActive.
“After IOActive disclosed these vulnerabilities to Confide, the company subsequently remediated issues identified as critical and informed IOActive of fixes,” the security advisory says.