Monday, March 4, 2024

Confide App used by White House staffers Found Vulnerable for MITM attacks

Confide is an a encrypted texting application for Android and iOS, which used by staffers in White House for their secret communication.

Security Experts from IOActive found Multiple critical flaws while testing versions 4.0.4 for Android and 1.4.2 for Windows and OS X.

Technical Details

  • Notification system doesn’t require a valid SSL server certificate to communicate, which would leak information, if any MITM attack performed.
  • Unencrypted messages could be transmitted, and no indications for unencrypted message.
  • The application neglected to utilize validated encryption, permitting Confide to modify messages in-travel.
  • The application permitted an attacker to enumerate all Confide client accounts,including genuine names, email addresses, and telephone numbers.
  • Application vulnerable to bruteforce attacks, no password policies which allows users to set vulnerable passwords.
  • The application’s site was vulnerable against a arbitrary URL redirection, which
    could encourage social engineering attacks against its clients.


  • Imitate another users by hijacking their account session.
  • Imitate another users by speculating their password.
  • Turned into a middle person in a discussion and decrypt messages.
  • Alter the contents of a message or attachment in transit without first decrypting it.
  • Learn the contact details of all or specific Confide users.
  • Take in the contact details of all Confide clients.

As per  IOActive they were able to recuperate more than 7,000 records for clients enlisted between the dates of 2017-02-22 to 2017-02-24.

This information additionally demonstrated that in the vicinity of 800,000 and one million client records were possibly contained in the database.

Amid their 2-day test, the group could discover a Donald Trump relate and a few workers from the Department of Homeland Security (DHS) who downloaded the Confide application.

The confidentiality of the exchanged messages relies on upon the robustness of TLS. Confide can actually read every one of the messages that go through its servers.

End-to-end encryption, as it is executed, exclusively depends on the server through which the messages pass.

Confide is not just an encrypted messenger. It provides other interesting security features:

  • Screenshot prevention: Received messages can theoretically not be copied by a user. As the astute reader may have noticed, the previous paragraphs present screenshots of the application.
  • Message deletion: Once a user reads a message, it is deleted from the client and from the server. Is it possible to prevent message deletion?
  • Secrets protection: Confide handle secrets, like private keys required to decrypt messages. Are these keys correctly protected?


  • February 2017: IOActive conducts testing on the Confide application.
  • February 25, 2017: Confide begins fixing issues uncovered by the detection of anomalous behavior during the testing window.
  • February 27, 2017: IOActive contacts Confide via several public email addresses to establish a line of communication.
  • February 28, 2017: IOActive discloses issues to Confide. Confide communicates that some mitigations are already in progress and plans are being made to address all issues.
  • March 2, 2017: Confide releases an updated Windows client (1.4.3), which includes fixes that address some of IOActive’s findings.

For more details, you can rush to ioactive and quarkslab

Also Read:


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles