Confide recently made headlines when reports suggested government officials might be using the end-to-end encrypted messenger to leak confidential information straight from the White House. But now it turns out the app might not be as secure as they think.
Security researchers from Seattle-based cybersecurity firm IOActive have discovered numerous critical flaws in Confide following its very first security audit earlier in February, CyberScoop reports.
While the Confide team touted the app as everyone’s “confidential messenger” for years, the company purportedly had no encryption specialists on its team – until last month a team of researchers assembled to pick apart the app’s defenses.
Following their investigation, IOActive found several vulnerabilities [PDF] that could potentially allow attackers to intercept messages prior to decryption. The findings suggest hackers have a slew of attack vectors they could employ to breach Confide. Exploiting the bugs, attackers have the ability to:
- Impersonate another user by hijacking their account session
- Impersonate another user by guessing their password
- Learn the contact details of all or specific Confide users
- Become an intermediary in a conversation and decrypt messages
- Alter the contents of a message or attachment in transit without first decrypting it
IOActive disclosed the discovered vulnerabilities to Confide on February 28, but the official findings are yet to make their way to the public. Since this was the first time Confide undergoes such a thorough security analysis, it remains unclear for how long the flaws have been out in the wild.
The outcome of the research conducted by IOActive backs up the claims of another independent researcher who similarly deemed Confide “not so secure” earlier in February.
Curiously, news of Confide’s vulnerabilities comes only a day after Wikileaks unleashed its Vault 7 series – the largest ever leak on the CIA’s internal covert and hacking operations.
Among other things, the leaked documents suggest that the CIA has ways to bypass end-to-end encrypted messengers like WhatsApp, Telegram and Signal; though it later became clear that the exploits did not directly breach the messaging apps, but the operating systems they run on, including Android and iOS.
So in case you’re looking for a secure messaging platform to communicate with friends and acquaintances: Better stay away from Confide – and think twice before you readily trust other apps too. Nothing seems to be immune to interception these days.