Confide is an a encrypted texting application for Android and iOS, which used by staffers in White House for their secret communication.
Security Experts from IOActive found Multiple critical flaws while testing versions 4.0.4 for Android and 1.4.2 for Windows and OS X.
Technical Details
- Notification system doesn’t require a valid SSL server certificate to communicate, which would leak information, if any MITM attack performed.
- Unencrypted messages could be transmitted, and no indications for unencrypted message.
- The application neglected to utilize validated encryption, permitting Confide to modify messages in-travel.
- The application permitted an attacker to enumerate all Confide client accounts,including genuine names, email addresses, and telephone numbers.
- Application vulnerable to bruteforce attacks, no password policies which allows users to set vulnerable passwords.
- The application’s site was vulnerable against a arbitrary URL redirection, which
could encourage social engineering attacks against its clients.
Effect
- Imitate another users by hijacking their account session.
- Imitate another users by speculating their password.
- Turned into a middle person in a discussion and decrypt messages.
- Alter the contents of a message or attachment in transit without first decrypting it.
- Learn the contact details of all or specific Confide users.
- Take in the contact details of all Confide clients.
As per IOActive they were able to recuperate more than 7,000 records for clients enlisted between the dates of 2017-02-22 to 2017-02-24.
This information additionally demonstrated that in the vicinity of 800,000 and one million client records were possibly contained in the database.
Amid their 2-day test, the group could discover a Donald Trump relate and a few workers from the Department of Homeland Security (DHS) who downloaded the Confide application.
The confidentiality of the exchanged messages relies on upon the robustness of TLS. Confide can actually read every one of the messages that go through its servers.
End-to-end encryption, as it is executed, exclusively depends on the server through which the messages pass.
Confide is not just an encrypted messenger. It provides other interesting security features:
- Screenshot prevention: Received messages can theoretically not be copied by a user. As the astute reader may have noticed, the previous paragraphs present screenshots of the application.
- Message deletion: Once a user reads a message, it is deleted from the client and from the server. Is it possible to prevent message deletion?
- Secrets protection: Confide handle secrets, like private keys required to decrypt messages. Are these keys correctly protected?
Timeline
- February 2017: IOActive conducts testing on the Confide application.
- February 25, 2017: Confide begins fixing issues uncovered by the detection of anomalous behavior during the testing window.
- February 27, 2017: IOActive contacts Confide via several public email addresses to establish a line of communication.
- February 28, 2017: IOActive discloses issues to Confide. Confide communicates that some mitigations are already in progress and plans are being made to address all issues.
- March 2, 2017: Confide releases an updated Windows client (1.4.3), which includes fixes that address some of IOActive’s findings.
