Thursday, March 28, 2024

Confide App used by White House staffers Found Vulnerable for MITM attacks

Confide is an a encrypted texting application for Android and iOS, which used by staffers in White House for their secret communication.

Security Experts from IOActive found Multiple critical flaws while testing versions 4.0.4 for Android and 1.4.2 for Windows and OS X.

Technical Details

  • Notification system doesn’t require a valid SSL server certificate to communicate, which would leak information, if any MITM attack performed.
  • Unencrypted messages could be transmitted, and no indications for unencrypted message.
  • The application neglected to utilize validated encryption, permitting Confide to modify messages in-travel.
  • The application permitted an attacker to enumerate all Confide client accounts,including genuine names, email addresses, and telephone numbers.
  • Application vulnerable to bruteforce attacks, no password policies which allows users to set vulnerable passwords.
  • The application’s site was vulnerable against a arbitrary URL redirection, which
    could encourage social engineering attacks against its clients.

Effect

  • Imitate another users by hijacking their account session.
  • Imitate another users by speculating their password.
  • Turned into a middle person in a discussion and decrypt messages.
  • Alter the contents of a message or attachment in transit without first decrypting it.
  • Learn the contact details of all or specific Confide users.
  • Take in the contact details of all Confide clients.

As per  IOActive they were able to recuperate more than 7,000 records for clients enlisted between the dates of 2017-02-22 to 2017-02-24.

This information additionally demonstrated that in the vicinity of 800,000 and one million client records were possibly contained in the database.

Amid their 2-day test, the group could discover a Donald Trump relate and a few workers from the Department of Homeland Security (DHS) who downloaded the Confide application.

The confidentiality of the exchanged messages relies on upon the robustness of TLS. Confide can actually read every one of the messages that go through its servers.

End-to-end encryption, as it is executed, exclusively depends on the server through which the messages pass.

Confide is not just an encrypted messenger. It provides other interesting security features:

  • Screenshot prevention: Received messages can theoretically not be copied by a user. As the astute reader may have noticed, the previous paragraphs present screenshots of the application.
  • Message deletion: Once a user reads a message, it is deleted from the client and from the server. Is it possible to prevent message deletion?
  • Secrets protection: Confide handle secrets, like private keys required to decrypt messages. Are these keys correctly protected?

Timeline

  • February 2017: IOActive conducts testing on the Confide application.
  • February 25, 2017: Confide begins fixing issues uncovered by the detection of anomalous behavior during the testing window.
  • February 27, 2017: IOActive contacts Confide via several public email addresses to establish a line of communication.
  • February 28, 2017: IOActive discloses issues to Confide. Confide communicates that some mitigations are already in progress and plans are being made to address all issues.
  • March 2, 2017: Confide releases an updated Windows client (1.4.3), which includes fixes that address some of IOActive’s findings.

For more details, you can rush to ioactive and quarkslab

Also Read:

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles