Confide app used by White House staff not as secure as claimed, report suggests
Confide -- a messaging app being used by some White House staff and reporters, and available for Apple's iPhone and Mac among other platforms -- may not be sufficiently secure, according to a new report.
The phone numbers of two high-level White House officials -- press secretary Sean Spicer, and director of strategic communications Hope Hicks -- were discovered through a feature in the app that lets people find friends who have already joined, BuzzFeed News said. Spicer in fact confirmed his use of Confide in a call with BuzzFeed, calling their story "an invasion of my privacy." He insisted however that he only sent one message several months ago at the request of a reporter, and uses a separate phone for official White House business.
The number listed for Hicks was unreachable, but a source within Confide suggested that she could have deleted the app months ago. The company's policy is to keep users listed even after they delete an account, the source said.
A security expert told BuzzFeed that while read messages are deleted immediately on a person's device, they're kept up to a week on Confide's servers, and the company is also saving metadata. If exposed legally or otherwise, this could at least be used to identify how often a person is sending messages and to whom.
Another issue is that Confide doesn't make its code public or identify which brand of encryption it uses. A researcher with Kudelski Security, Jean-Philippe Aumasson, indicated that the app relies on the OpenSSL library, some versions of which are known to be vulnerable to hacking.
The Washington Post recently said that White House staff are using Confide to avoid being blamed for a stream of leaks to the media, something allegedly being scrutinized in an investigation ordered by U.S. President Donald Trump.
Other reports said that the app is popular with journalists at the White House, as well as a number of people in the Republican Party worried they could fall prey to the same sort of hacking that victimized the Democrats during last year's election campaign.
The phone numbers of two high-level White House officials -- press secretary Sean Spicer, and director of strategic communications Hope Hicks -- were discovered through a feature in the app that lets people find friends who have already joined, BuzzFeed News said. Spicer in fact confirmed his use of Confide in a call with BuzzFeed, calling their story "an invasion of my privacy." He insisted however that he only sent one message several months ago at the request of a reporter, and uses a separate phone for official White House business.
The number listed for Hicks was unreachable, but a source within Confide suggested that she could have deleted the app months ago. The company's policy is to keep users listed even after they delete an account, the source said.
A security expert told BuzzFeed that while read messages are deleted immediately on a person's device, they're kept up to a week on Confide's servers, and the company is also saving metadata. If exposed legally or otherwise, this could at least be used to identify how often a person is sending messages and to whom.
Another issue is that Confide doesn't make its code public or identify which brand of encryption it uses. A researcher with Kudelski Security, Jean-Philippe Aumasson, indicated that the app relies on the OpenSSL library, some versions of which are known to be vulnerable to hacking.
The Washington Post recently said that White House staff are using Confide to avoid being blamed for a stream of leaks to the media, something allegedly being scrutinized in an investigation ordered by U.S. President Donald Trump.
Other reports said that the app is popular with journalists at the White House, as well as a number of people in the Republican Party worried they could fall prey to the same sort of hacking that victimized the Democrats during last year's election campaign.
Comments
That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
* I've never used nor do I expect to use one of these apps. For starters, anything sent could just be saved with a screenshot on the other end, so the best it could do is probably just hid your name, assuming you didn't use RealPOTUSSteveBannon.
That is because the open source communicate feel they are better equipped to find issue and as group they and also fix them. But I also work for a networking equipment manufacture and we did not allow use of open source or any libraries which were not internally developed, why for security reasons. We did not want the product software to contain code which people outside the company had knowledge of.
With that said, when are these people going to learn, if you do not want people to know what you are doing never write it down, and do all your dirty work in person. I personally only document facts in Emails and such, everything else it is in a personal conversation, this way I can always deny what was said since it was never written down.
As I told my kids, if they are ever doing something they should not be doing, and someone pulls out a phone and begins recording get yourself out of there. I told them I did lots of things when I was younger and no one can prove it since it not written down, no pictures, and my friends memory is far worse than mine.
For systems with closed source there are other certifications people can also feel better about such as being FIPS Validated (Federal Information Processing Standards) or having a Common Criteria Certificate which you need for a CSfC (Consumer Solutions for Classified) listing.
Yeah, better scrutiny and testing a monkey's ass!
Republicans have spent the last 4 years and tens of millions of dollars attacking Hillary's use of non-government systems -- and within the first month, they are doing the same! I wonder who will investigate THEM?
Just a few random examples:
http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
http://forums.appleinsider.com/discussion/comment/2933095/
http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628
That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
but suddenly as the leaks go against the the so called presidental view point
its all fake news ... honest guvnor!