Researchers find major flaws in encrypted chat app popular in WH

Researchers find major flaws in encrypted chat app popular in WH
© Getty Images

Researchers are reporting a bevy of security flaws in Confide, the encrypted chat app reportedly used by White House staffers — including flaws that are trivially easy to discover.

A team at IOActive reported the vulnerabilities to Confide the last week of February, and Confide has since released patches. 

According to the IOActive report, Confide's flaws included protecting user data, not signing messages in a way to ensure who sent a message and, glaringly, not checking to see if a validation certificates known as SSL certificates were correct. 

ADVERTISEMENT
SSL certificates ensure that computers encrypt data in a way that only the intended recipient can receive it. Fake certificates allow attackers to intercept data in transit and either eavesdrop or change the communication. 

"SSL/TLS certificate validation, as was the particular issue with Confide, is one of the first things one would check for as an application security researcher. Such checks are trivial to verify using basic, freely available tools," said IOActive security consultant Ryan O’Horo via email. 

“Not only have these issues been resolved, but we also have no detection of them being exploited by any other party,” Confide co-founder and president Jon Brod said in a statement.

“Privacy and security is always an ongoing process. As issues arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance.”

Soon after the Trump administration took office, reports emerged that staffers used Confide to prevent a major leak of compromising information, such as what happened to the Democratic National Committee last year.

Since then, White House press secretary Sean Spicer reportedly informed staffers that Confide should not be used, as it circumvents presidential records archiving laws. 

Spicer's message came before the vulnerabilities were reported, meaning the SSL validation problem existed while the staffers reportedly used it.