How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

They tried logging into secure.telemessage.com utilizing a brace of these credentials and discovered that they had conscionable hacked a personification pinch an email reside associated pinch US Customs and Border Protection, 1 of nan agencies implementing Trump’s draconian migration policy. CBP has since confirmed that it was a TeleMessage customer.

After spending a fewer much minutes digging done nan heap dump, nan hacker besides discovered plaintext chat logs. “I tin publication Coinbase soul chats, this is incredible,” nan hacker said. (Coinbase did not respond to WIRED's petition for comment, but did tell 404 Media that “there is nary grounds immoderate delicate Coinbase customer accusation was accessed aliases that immoderate customer accounts are astatine risk, since Coinbase does not usage this instrumentality to stock passwords, seed phrases, aliases different information needed to entree accounts.”)

At this point, nan hacker says they had spent 15 to 20 minutes poking astatine TeleMessage’s servers, and had already compromised 1 of their national authorities customers, on pinch 1 of nan world’s biggest cryptocurrency exchanges.

As I discovered from analyzing TM SGNL’s root code, TeleMessage apps—like nan 1 moving connected Mike Waltz’s phone—uploaded unencrypted messages to archive.telemessage.com (I telephone this nan archive server), which past forwards nan messages to nan customer’s last destination. This contradicts TeleMessage’s nationalist trading material, wherever they claimed TM SNGL uses “end-to-end encryption from nan mobile telephone done to nan firm archive.”

The archive server is programmed successful Java and is built utilizing Spring Boot, an unfastened root model for creating Java applications. Spring Boot includes a group of features called Actuator that helps developers show and debug their applications. One of these features is nan heap dump endpoint, which is nan URL nan hacker utilized to download heap dumps.

According to Spring Boot Actuator’s documentation: “Since Endpoints whitethorn incorporate delicate information, observant information should beryllium fixed astir erstwhile to expose them.” In nan lawsuit of TeleMessage’s archive server, nan heap dumps contained usernames, passwords, unencrypted chat logs, encryption keys, and different delicate information.

If anyone connected nan net had loaded nan heap dump URL correct arsenic Mike Waltz was texting utilizing nan TM SGNL app, nan heap dump record would person contained his unencrypted Signal messages, too.

A 2024 post connected nan unreality information institution Wiz’s blog lists “Exposed HeapDump file” arsenic nan number 1 communal misconfiguration successful Spring Boot Actuator. “Up until type 1.5 (released successful 2017), nan /heapdump endpoint was configured arsenic publically exposed and accessible without authentication by default. Since then, successful later versions Spring Boot Actuator has changed its default configuration to expose only nan /health and /info endpoints without authentication (these are little absorbing for attackers),” nan writer wrote. “Despite this improvement, developers often disable these information measures for diagnostic purposes erstwhile deploying applications to trial environments, and this seemingly mini configuration alteration whitethorn stay unnoticed and thereby persist erstwhile an exertion is pushed to production, inadvertently allowing attackers to get unauthorized entree to captious data.”

In a 2020 post connected Walmart’s Global Tech Blog, different developer gave a akin warning. “Apart from /health and /info, each actuator endpoints are risky to unfastened to extremity users because they tin expose exertion dumps, logs, configuration information and controls,” nan writer wrote. “The actuator endpoints person information implications and SHOULD NEVER EVER beryllium exposed successful accumulation environment.”

The hacker’s speedy utilization of TeleMessage indicates that nan archive server was severely misconfigured. It was either moving an eight-year-old type of Spring Boot, aliases personification had manually configured it to expose nan heap dump endpoint to nan nationalist internet.

This is why it took a hacker astir 20 minutes of prodding earlier it cracked open, pinch delicate information spilling out.

Despite this captious vulnerability and different information issues pinch TeleMessage’s products—most notably, that nan Israeli patient that builds nan products tin entree each its customer’s chat logs successful plaintext—someone successful nan Trump management deployed it to Mike Waltz’s telephone while he was serving arsenic nationalist information adviser.