Seattle, Wash. – March 8, 2017 – IOActive, Inc., the worldwide leader in research-driven security services, today released a new security advisory highlighting numerous security vulnerabilities discovered in a messaging application from Confide, Inc. IOActive security researchers Mike Davis, Ryan O’Horo, and Nick Achatz tested Confide version 1.4.2 for Windows and OS X, 4.0.4 for Android by reverse engineering the published application, observing its behavior, and interacting with the public API.
Confide is marketed as a confidential messaging application that uses “military grade end-to end-encryption” to protect confidential communications on mobile devices. The issues identified at the time of testing the Confide messenger application were in four major areas, including:
- HTTPS: The application’s notification system did not require a valid SSL server certificate to communicate, which means session information could be leaked to actors performing a man-in-the-middle attack.
- Messaging: Unencrypted messages could be transmitted, and the user interface made no indication when unencrypted messages were received. The application uploaded file attachments before the user sent the intended message. The application failed to use authenticated encryption, giving Confide the ability to alter messages in-transit.
- Account Management: The application allowed an attacker to enumerate all Confide user accounts, including real names, email addresses, and phone numbers. The application failed to adequately prevent brute-force attacks on user account passwords. Users were permitted to choose short, easy-to-guess passwords.
- Website: The application’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users. The application’s website reflected incorrectly entered passwords back to the browser.
The results of testing indicated that a malicious attacker could exploit vulnerabilities that were present to potentially perform one or more of the following actions:
- Impersonate another user by hijacking their account session
- Impersonate another user by guessing their password
- Learn the contact details of all or specific Confide users
- Become an intermediary in a conversation and decrypt messages
- Alter the contents of a message or attachment in transit without first decrypting it
In accordance with IOActive’s responsible disclosure practices, IOActive informed Confide of the issues discovered during its research once they were properly validated, and then worked collaboratively with Confide on a remediation and disclosure timeline. Confide immediately responded to IOActive’s initial vulnerability disclosure and was responsive throughout the process.
“This is a great example of how responsible disclosure between researchers and vendors can work when both sides are engaged in making security a focus,” said Jennifer Steffens CEO of IOActive. “When our researchers connected with Confide to disclose the vulnerabilities they were receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information. From 18 years of experience in security research, we know just how rare this interaction is, yet collaborative information exchange and responsiveness are the baseline for successful responsible disclosures. We wish more firms were as responsive and committed to quick resolution of identified issues.”
The full advisory report on the research can be accessed on the IOActive website here: http://www.ioactive.com/pdfs/IOActive-Security-Advisory-Confide-Messaging-Ap.pdf
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information.Follow IOActive on Twitter: http://twitter.com/ioactive.