Leaks have plagued the Trump administration since he took office less than seven weeks ago. The president's anger about these backchannels has grown, up to and including reported demands of an investigation into the source. Press secretary Sean Spicer has even apparently taken to doing random phone checks, supervised by White House attorneys, to see what staffers and aides are up to on their devices and whether they have secure communication apps.

In the midst of all of this, the end-to-end encrypted, disappearing messages app Confide has emerged as a popular choice among administration officials looking to discuss sensitive topics with coworkers, the press, or other groups. But in spite of Confide's claims that it "gives you the comfort of knowing that your private messages will now truly stay that way," researchers at security firm IOActive recently notified its developers of a number of critical vulnerabilities in the app. Those have since been resolved, but that's small consolation for White House staffers and general users who relied on Confide while it was exposed.

Leaky Chat

IOActive found vulnerabilities in numerous areas of the Confide app on Windows, macOS, and Android. By reverse-engineering the applications to see how they work and where they might have weaknesses and probing Confide's public API to see what data could be accessible to anyone, the researchers discovered that they could alter messages and attachments in transit, decrypt messages, impersonate users, and reconstruct a database of all Confide users, their names, email addresses, and phone numbers. It's a concerning list of potential attacks for an app that touts security and privacy as its main offerings.

In total, the IOActive researchers laid out 11 vulnerabilities. For example, they were able to access over 7,000 records for users who joined Confide between February 22 and February 24, before Confide detected the intrusion. The database contains between 800,000 and 1 million user records in all. The app didn't have protection against brute-forcing account passwords and didn't even have strong minimum requirements for what a user's password could be. It didn't notify recipients when senders sent unencrypted messages, and the system didn't require a valid web encryption certificate.

IOActive disclosed the bugs to Confide on February 28. Confide was already aware of some of the bugs after detecting the researchers' probing, and by March 3 the company told IOActive that all the vulnerabilities had been patched. IOActive says that it was satisfied with Confide's reaction. “When our researchers connected with Confide to disclose the vulnerabilities, they were receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information," IOActive CEO Jennifer Steffens said in a statement.

Confide has been around since 2014, though, so protecting the app going forward, while crucial, doesn't mitigate the risk its users have already faced. But Confide assures its users that the bugs were never exploited. "Our security team is continuously monitoring our systems to protect our users' integrity," says Confide president Jon Brod. "IOActive's attempt to gather account information was detected and stopped in real time. Not only has this particular issue been resolved, but we also have no detection of it being exploited by any other party. In addition, we've also ensured that the same or similar approaches will not be possible going forward."

Safety First

Other researchers have piled on similar findings about the state of Confide's security. Experts have also been calling the app out for a while for using proprietary cryptography and offering no evidence that it has invited independent code audits to check for vulnerabilities. Encrypted communication services that are open source, like Signal, garner more trust in the security community because of their transparency.

"Public review of open source code can [reveal] such flaws," says Sven Dietrich, a cryptography researcher at CUNY John Jay College of Criminal Justice. He adds that code reviews "allow experts to identify programming mistakes that jeopardize user messages or credentials, and protocol mistakes like improper exchange of keys or messages." Basically, all the issues Confide ran into.

It's difficult for consumers to know which security products to choose or even how to compare the options. This puts responsibility on software makers to secure their products. “Encryption software assumes such an important role today. The only way to ensure that a piece of software does not contain back doors or gaping holes is to have independent trust experts audit the code. This is best practice,” says Kevin Curran, a cybersecurity researcher at Ulster University and IEEE senior member. “We all know that it is unreasonable to expect vulnerability-free software, but we need to look at risk mitigation.”

Now that Confide has patched its vulnerabilities, users will have more protection. But without greater transparency, users may not have confidence that other flaws aren't lurking in their favorite encrypted chat app. For a White House staffer leaking information critical to United States discourse and fearing retribution from a temperamental boss, there's no room for error.