The Encrypted App Used By White House Staffers Suffered From Serious Security Flaws

From our partner
BY: Jenna McLaughlin 03.08.17

Getty Image

Confide, a three-year-old messaging app reportedly favored by White House officials, and supposedly boasting “military-grade end-to-end encryption,” was so insecure it allowed attackers to impersonate friendly contacts, spy on contact information, and even alter messages in transit, according to a cybersecurity firm.

While Confide, dubbed the “Snapchat for business”, has since mostly fixed these insecurities after the firm, IOActive, contacted the company with its research, an attacker could have taken full advantage before this month, according to a report from IOActive security researchers Mike Davis and Ryan O’Horo.

Axios last month reported that paranoid White House staffers and top Republicans were shielding their communications using the app, which offers a disappearing message feature. The application also requires the user to scroll over each line of text individually to see the hidden message beneath—making it hard to screenshot the full text. Buzzfeed confirmed that White House press secretary Sean Spicer and White House director of strategic communications Hope Hicks had downloaded the app at some point in time.

After those reports emerged, Confide’s download numbers surged. Google Ventures, Billy Bush, SV Angels, and other big investors had already doled out more than $3 million to help create the app, which also syncs with iMessage for Apple users.

The application’s erasing messages raised concerns about whether or not federal employees who use the app for official business were breaking public records laws — which require them to preserve communications sent in their professional capacity.

But use of the app also raised security concerns, as raised by the Buzzfeed report, and which O’Horo and Davis have now explained in detail.

A malicious actor, according to the report, could hijack an app in use and pretend to be the account holder, change the contents of a message traveling to its recipient, gain access to someone’s Confide address book, easily guess a user’s password, or decrypt messages in transit.