Encrypted messaging apps have become the hottest trend for White House officials but a new report suggests one of the apps trusted by a number of staffers in the Trump administration may be vulnerable to security exploits.
According to a report from the Intercept, researchers from the security solutions firm IOActive discovered a number of flaws that would allow an attacker to impersonate contacts, see contact information and change messages before they reached their recipient.
Mike Davis and Ryan O’Horo of IOActive discovered the weaknesses within the app. According to the security researchers, it was possible for an attacker to hijack Confide by taking advantage of a number of technical flaws, including a failure to require a legitimate SSL certificate to ensure the app is communicating with a trusted server and hasn’t been compromised.
Without checking SSL certificates in place, a malicious actor could impersonate the target destination for a sent message or file by getting between the app and the server. This could be performed by anyone connected to the same network as a Confide user, including a public Wi-Fi connection.
Brute force attacks also defeated Confide’s protections. By simply generated automated guesses at a user’s password, an attacker could eventually crack an account and gain access. Confide placed no limits on the number of password guesses a person could input, and the attack could be performed remotely.
The application also allowed some messages to be delivered unencrypted, allowing for the possibility that the plaintext message could be intercepted and read by a person it was not intended for.
In a two day span, Davis and O’Horo reported they were able to gain access to 7,000 account records. Those records provided them with access to email addresses and real names associated with accounts, including a Donald Trump associate and a number of Department of Homeland Security employees who had downloaded and installed Confide.
The researchers disclosed the vulnerabilities to Confide before sharing the attacks with the public. In a statement provided to the Register, Confide claimed that “not only have these issues been addressed, but we also have no detection of them being exploited by any other party.”
Axios reported last month that a number of White House officials, including press secretary Sean Spicer, have used the app. Even if the app has been secured, there are still questions as to just how legal it is for federal employees to use the app and others like it for official business. Government employees are required to preserve work communications under public record laws.