日本語
한국어
Tiếng Việt
简体中文
A Signal clone app, TeleMessage, used by a former Trump administration official, suffered a swift security breach. A hacker exploited a simple misconfiguration to gain access in a mere 20 minutes.
Remember the photo of President Trump’s then-national security advisor, Mike Waltz, seemingly engrossed in Signal messages during a cabinet meeting? He wasn’t using the official Signal app, known for its robust encryption. Instead, he was using TeleMessage Signal (TM SGNL), a Signal clone by TeleMessage, recently acquired by Smarsh.
While TM SGNL mimics Signal’s functionality, it also archives all messages, negating the core security benefits of encrypted messaging. This key difference proved to be its downfall.
Hacking TeleMessage: Surprisingly Easy
Just two days after Waltz’s photo surfaced, a hacker contacted WIRED, claiming to have compromised TeleMessage. “I would say the whole process took about 15 to 20 minutes,” they stated, highlighting the ease of the exploit. Initially, specific details were withheld to prevent replication. However, with TeleMessage temporarily suspending its services, the vulnerability can now be revealed.
The hacker’s initial investigation of secure.telemessage.com revealed a critical flaw: client-side MD5 password hashing. “Something that negates the security benefits of hashing passwords, as the hash effectively becomes the password,” the hacker explained. Drop Site News further reported the exposure of email addresses, passwords, usernames, and phone numbers.
This weak security posture, coupled with the use of outdated JSP technology, motivated the hacker to search for vulnerable JSP files using feroxbuster, a website resource discovery tool. They discovered a vulnerable URL on archive.telemessage.com ending in /heapdump.
The Heap Dump Goldmine
Accessing the /heapdump URL yielded a Java heap dump – a 150MB snapshot of the server’s memory. The hacker, familiar with heap dumps, knew they often contain HTTP request bodies, potentially including login credentials.
The hunch paid off. By downloading the heap dump and searching for “password,” they unearthed usernames and passwords, including those belonging to a US Customs and Border Protection (CBP) employee. CBP later confirmed their TeleMessage usage.
Further digging exposed plaintext chat logs, including Coinbase internal communications. While Coinbase stated that no sensitive customer information was compromised, the breach underscored the severity of the vulnerability.
The Root Cause: A Misconfigured Server
Analysis of TM SGNL’s source code revealed that, unlike TeleMessage’s claims of “end-to-end encryption,” the app uploaded unencrypted messages to archive.telemessage.com before forwarding them to their destination. This archive server, built with Spring Boot, included the Actuator feature, which offers a heap dump endpoint.
Spring Boot’s documentation warns that Actuator endpoints can expose sensitive information and require careful consideration. In TeleMessage’s case, the misconfigured archive server leaked usernames, passwords, unencrypted chat logs, and encryption keys.
The exposed /heapdump file vulnerability is so common that cloud security firm Wiz listed it as the number one misconfiguration in Spring Boot Actuator in 2024. Although later versions of Spring Boot Actuator have secured defaults, developers often disable these measures for testing, potentially leaving them exposed in production environments.
The hacker’s swift exploit highlights a critical oversight in TeleMessage’s security configuration. The archive server was either running an outdated version of Spring Boot or had been manually configured to expose the heap dump endpoint, leading to the data breach.
Implications and Lessons Learned
Despite the vulnerability and the risk of plaintext access to chat logs by TeleMessage, the Trump administration deployed the app on Mike Waltz’s phone during his tenure as national security advisor. This incident underscores the importance of rigorous security assessments and proper configuration, especially when handling sensitive communications.