A supposedly secure chat app popular with White House staffers contained serious security flaws, according to a new report.
Researchers discovered several “critical” security vulnerabilities in some versions of Confide, an app that has gained popularity following reports that federal employees use it to communicate and to leak information securely. White House press secretary Sean Spicer has checked aides’ phones for encrypted apps including Confide.
Cybersecurity consulting firm IOActive released a report Wednesday saying Windows and Android versions of Confide had numerous flaws that could allow an attacker to impersonate users, decrypt messages, change messages before they were received and learn the contact details of the app’s users.
The problems have since been fixed, and there is no sign that they were exploited for use in attacks, Confide cofounder and president Jon Brod told CNNTech in an emailed statement.
“Privacy and security is always an ongoing process. As issues arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance,” he added.
IOActive’s report said its researchers told Confide about the problems and the companies worked together to fix them. IOActive complimented Confide’s response, saying the app maker responded immediately and was “receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information.”
But the security flaws detailed are serious. Among other concerns, IOActive said Confide let users choose short easy-to-guess passwords, allowed the sending of unencrypted messages — without alerting the person who received it — and failed to require proof of a secure connection to the app’s web server, which could have made information visible to an attacker.
IOActive did not independently determine whether attackers had exploited these security holes before they were discovered.
Confide advertises that it uses “military grade cryptography,” a term that has been ridiculed by some in the cybersecurity community. Earlier this week, CNNTech reported users should be wary of those claims.
IOActive’s report highlights why it’s important for researchers to examine an app’s innards and confirm its security before users trust it with important communications.