The researchers believe they could have acquired contact details of all Confide users thanks to the vulnerabilities. For instance, the app allowed an attacker to continuously query the Confide server to enumerate all user accounts, including real names, email addresses and phone numbers. That problem was only made worse by the fact that users were allowed to choose "short, easy-to-guess passwords," IOActive said. Ultimately, Quarkslab said the "Confide server can read your messages by performing a man-in-the-middle attack." Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app.

Source: Forbes March 08, 2017 13:52 UTC