The Confidential Confide Messenger is Hackable, Claimed by Security Firm IOActive!

In this digital era, you will find a number of chat messengers in application stores. The “Confide” is one of them. This app is promoting itself as the most secured confidential messenger. No doubt, the Confide app has been adopted by the United States white house staff as well. The Confide claims that we are using military-grade end-to-end encryption to transfer messages within a network or outside the network. But, United States-based security firm “IOActive” has published a press note this Wednesday to tell that Confide Messenger is hackable. The Confide Messenger contains various security vulnerabilities related to its SSL, Message Encryption, Account Management, and Website.

List of Security Vulnerabilities

A team of IOActive’s three security researchers (Nick Achatz, Mike Davis, and Ryan O’Horo) was doing research on Confide Messenger version 1.4.2 (Windows and OS X) and Confide Messenger version 4.0.4 (Android). The White House staff and Republican officials are using this app because it has “Self-Destructing” functionality. This functionality allows the application to delete the message after being read. By reverse engineering the security researchers have found following security vulnerabilities in Confide Messenger:

Account Management System is Vulnerable

The security researchers managed to access around 7000 user accounts of Confide Messenger including personal contact numbers and email addresses. This happened due to a security loophole in Confide’s account management system. An attacker could exploit this vulnerability by interacting with its public API.

Vulnerable To Brute Force Attack

The Confide Messenger is allowing its users to choose a simple and easy guessing passwords. Most of the modern applications are asking users to choose a complex password with special characters and alphanumeric values for security reasons. The security researchers have found that Confide app is not capable of stopping “Brute-Force Attack” and by performing a Brute-Force attack, it is very easy to steal all the passwords.

MITM Attack is Possible

The Confide app is using an invalid Secure Socket Layer (SSL) certificate to communicate with the server over the internet. Every message sends by the user through Confide is not reaching to the other user in the same encrypted form. There is a security loophole in the current SSL certificate of Confide and an attacker can perform a Man-in-the-middle (MITM) attack to intercept all the messages. Moreover, the company is using a system to authenticate all the encrypted messages. It means, the Confide can also read and see the conversation between two users.

The website is Also Vulnerable

According to the security researchers, the official website of Confide is also vulnerable to an arbitrary URL redirection attack. The attackers could perform various type of Social Engineering Attacks against the Confide users.

The Drawbacks

The attacker can hijack the account session of any user.

The attacker can steal personal contact number and email address of the users.

The attacker could read private and confidential messages of any user by performing an MITM attack.

By performing a Brute-Force attack, the attacker can easily guess the password of any user.

The attacker could perform unethical and illegal activities by hijacking someone’s Confide account.

The Take of Confide on This

The company said, all the security vulnerabilities have been patched by the development team. The Confide team said that we are monitoring all our systems to detect illegitimate activities and we didn’t get any bad report. For the betterment of Confide app security, the company is implementing more security features. This is not the first chance with Confide App, last month a journalist noticed that the app was allowing him to access personal contact number of White House press secretary Sean Spicer and all the staff.

The companies should think about these type of critical security vulnerabilities. A normal user is using the Confide app with a mentality that all the messages send by him are safe and encrypted. He doesn't know, an attacker can read all his messages and can misuse his sensitive information for personal benefits.

Also Read:

Android Latest Security Updates, More Than 100 Vulnerabilities Patched by Google

TorrentLocker (Cryptolocker) Ransomware is Back Once Again With More Advance Features

Coachella Festival Data Breached, 1 Million Personal Details Stolen By Hackers