Encrypted Messaging App Confide Was Full of Security Bugs Exposing User Data

Share this…

Despite being marketed as a safe app, numerous flaws were discovered in its code, exposing user data.

Secure messaging app Confide is, apparently, not as secure as it claims to be, with several security holes making it easy to hack.

According to a blog post by security company IOActive, several vulnerabilities were found in Confide, despite its “military-grade” end-to-end encryption.

It seems that IOActive managed to get access to records for 7,000 Confide users by exploiting vulnerabilities they discovered in the app’s account management system. They explain that part of the problem came from Confide’s very API, which could be used to reveal data on users, including their phone numbers and email addresses.

Researchers further discovered the app allowed user to choose basic passwords. When brute-force attacks were used against a user’s account, the app could not block the attacker.

IOActive also adds that data sent from the app wasn’t always done securely due to an issue with the software’s notification system which neglected using a valid SSL server certificate to communicate. This could make the app vulnerable to man-in-the-middle attacks, allowing hackers to eavesdrop on the very messages users are trying to keep secret.

Last, but not least, the app omitted using a system to authenticate encrypted messages, which could allow Confide to tamper with any messages before they get to their recipient.

Encrypted, but not that safe

Taking into consideration that anyone downloading Confide does this to benefit from full security, this type of bugs are particularly problematic. It is even said that White House staffers use Confide to leak information about Trump’s way of dealing with issues. The main feature this app brings to the table is the capacity for messages sent with it to self-destruct once they’ve been read.

Developers for Confide were informed of the issues and have patched things up. Thankfully, the company says they have not detected anyone else exploiting the vulnerabilities.

The latest update was released at the same time as the IOActive blog post, so we suggest you update as soon as possible if you haven’t already.