How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes WIRED

pDuring a recent cabinet meeting President Donald Trumpâs then national security adviser Mike Waltz must have been bored Apparently unaware of the photographer behind him he was caught clandestinely checking his Signal messages under the tableppOnly he wasnât using the official Signal app which is widely considered to be the gold standard of encrypted messaging apps He was actually using a clone of Signal called TeleMessage Signal or TM SGNL This app made by TeleMessage which was recently acquired by Smarsh works in almost exactly the same way as Signal except that it also archives copies of all the messages passing through it shattering all of its security guaranteesppTwo days after the photo of Waltz was published an anonymous source told me that they had hacked TeleMessage âI would say the whole process took about 15 to 20 minutesâ the hacker said as Joseph Cox and I reported in 404 Media âIt wasnât much effort at allâ Representatives from TeleMessage and Smarsh did not respond to a request for commentppThe exploit that the hacker used was incredibly simple At the time we chose not to publish any details about it because it would be so easy for others to replicate Since then TeleMessage has temporarily suspended all services which is now why WIRED can share exactly how this hack took place without risking anyoneâs private datappâI first looked at the admin panel securetelemessagecom and noticed that they were hashing passwords to MD5 on the client side something that negates the security benefits of hashing passwords as the hash effectively becomes the passwordâ the hacker said Hashing is a way of cryptographically obfuscating a password stored on a system and MD5 is an inadequate version of the algorithms used to do so Drop Site News has since reported that it appears that this admin panel exposed email addresses passwords usernames and phone numbers to the publicppThe weak password hashing and the fact that the TeleMessage site was programmed with JSPâan early 2000sera technology for creating web apps in Javaâgave the hacker âthe impression that their security must be poorâ Hoping to find vulnerable JSP files the hacker then used feroxbuster a tool that can quickly find publicly available resources on a website on securetelemessagecomppThe hacker also used feroxbuster on archivetelemessagecom another domain used by TeleMessage which is where they discovered the vulnerable URL which ended in heapdumpppWhen they loaded this URL the server responded with a Java heap dump which is a roughly 150MB file containing a snapshot of the serverâs memory at the moment the URL was loadedppThe hacker said they âknew from past experience that heap dumps from web serversâ will include the âbodiesâ of http requests they said âand this may include credentials of users logging inâ And for TM SGNL they did By downloading a heap dump and then searching for âpasswordâ the hacker could see usernames and passwords of random usersppThey tried logging into securetelemessagecom using a pair of these credentials and discovered that they had just hacked a user with an email address associated with US Customs and Border Protection one of the agencies implementing Trumpâs draconian immigration policy CBP has since confirmed that it was a TeleMessage customerppAfter spending a few more minutes digging through the heap dump the hacker also discovered plaintext chat logs âI can read Coinbase internal chats this is incredibleâ the hacker said Coinbase did not respond to WIREDs request for comment but did tell 404 Media that âthere is no evidence any sensitive Coinbase customer information was accessed or that any customer accounts are at risk since Coinbase does not use this tool to share passwords seed phrases or other data needed to access accountsâppAt this point the hacker says they had spent 15 to 20 minutes poking at TeleMessageâs servers and had already compromised one of their federal government customers along with one of the worldâs biggest cryptocurrency exchangesppAs I discovered from analyzing TM SGNLâs source code TeleMessage appsâlike the one running on Mike Waltzâs phoneâuploaded unencrypted messages to archivetelemessagecom I call this the archive server which then forwards the messages to the customerâs final destination This contradicts TeleMessageâs public marketing material where they claimed TM SNGL uses âendtoend encryption from the mobile phone through to the corporate archiveâppThe archive server is programmed in Java and is built using Spring Boot an open source framework for creating Java applications Spring Boot includes a set of features called Actuator that helps developers monitor and debug their applications One of these features is the heap dump endpoint which is the URL the hacker used to download heap dumpsppAccording to Spring Boot Actuatorâs documentation âSince Endpoints may contain sensitive information careful consideration should be given about when to expose themâ In the case of TeleMessageâs archive server the heap dumps contained usernames passwords unencrypted chat logs encryption keys and other sensitive informationppIf anyone on the internet had loaded the heap dump URL right as Mike Waltz was texting using the TM SGNL app the heap dump file would have contained his unencrypted Signal messages tooppA 2024 post on the cloud security company Wizâs blog lists âExposed HeapDump fileâ as the number one common misconfiguration in Spring Boot Actuator âUp until version 15 released in 2017 the heapdump endpoint was configured as publicly exposed and accessible without authentication by default Since then in later versions Spring Boot Actuator has changed its default configuration to expose only the health and info endpoints without authentication these are less interesting for attackersâ the author wrote âDespite this improvement developers often disable these security measures for diagnostic purposes when deploying applications to test environments and this seemingly small configuration change may remain unnoticed and thereby persist when an application is pushed to production inadvertently allowing attackers to obtain unauthorized access to critical dataâppIn a 2020 post on Walmartâs Global Tech Blog another developer gave a similar warning âApart from health and info all actuator endpoints are risky to open to end users because they can expose application dumps logs configuration data and controlsâ the author wrote âThe actuator endpoints have security implications and SHOULD NEVER EVER be exposed in production environmentâppThe hackerâs quick exploit of TeleMessage indicates that the archive server was badly misconfigured It was either running an eightyearold version of Spring Boot or someone had manually configured it to expose the heap dump endpoint to the public internetppThis is why it took a hacker about 20 minutes of prodding before it cracked open with sensitive data spilling outppDespite this critical vulnerability and other security issues with TeleMessageâs productsâmost notably that the Israeli firm that builds the products can access all its customerâs chat logs in plaintextâsomeone in the Trump administration deployed it to Mike Waltzâs phone while he was serving as national security adviserppIn your inbox Upgrade your life with WIREDtested gearppDemis Hassabis embraces the future of work in the age of AIppBig Story Airbnb is in midlife crisis modeppWe talked to a fired DOGE staffer about who was really in chargeppUncanny Valley An insider look at the influence of Silicon ValleyppMore From WIREDppReviews and Guidespp 2025 Condà Nast All rights reserved WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condà Nast Ad Choicesp