How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

They tried logging into secure.telemessage.com utilizing a brace of these credentials and discovered that they had conscionable hacked a idiosyncratic with an email code associated with US Customs and Border Protection, 1 of the agencies implementing Trump’s draconian migration policy. CBP has since confirmed that it was a TeleMessage customer.

After spending a fewer much minutes digging done the heap dump, the hacker besides discovered plaintext chat logs. “I tin work Coinbase interior chats, this is incredible,” the hacker said. (Coinbase did not respond to WIRED's petition for comment, but did tell 404 Media that “there is nary grounds immoderate delicate Coinbase lawsuit accusation was accessed oregon that immoderate lawsuit accounts are astatine risk, since Coinbase does not usage this instrumentality to stock passwords, effect phrases, oregon different information needed to entree accounts.”)

At this point, the hacker says they had spent 15 to 20 minutes poking astatine TeleMessage’s servers, and had already compromised 1 of their national authorities customers, on with 1 of the world’s biggest cryptocurrency exchanges.

As I discovered from analyzing TM SGNL’s root code, TeleMessage apps—like the 1 moving connected Mike Waltz’s phone—uploaded unencrypted messages to archive.telemessage.com (I telephone this the archive server), which past forwards the messages to the customer’s last destination. This contradicts TeleMessage’s nationalist selling material, wherever they claimed TM SNGL uses “end-to-end encryption from the mobile telephone done to the firm archive.”

The archive server is programmed successful Java and is built utilizing Spring Boot, an unfastened root model for creating Java applications. Spring Boot includes a acceptable of features called Actuator that helps developers show and debug their applications. One of these features is the heap dump endpoint, which is the URL the hacker utilized to download heap dumps.

According to Spring Boot Actuator’s documentation: “Since Endpoints whitethorn incorporate delicate information, cautious information should beryllium fixed astir erstwhile to exposure them.” In the lawsuit of TeleMessage’s archive server, the heap dumps contained usernames, passwords, unencrypted chat logs, encryption keys, and different delicate information.

If anyone connected the net had loaded the heap dump URL close arsenic Mike Waltz was texting utilizing the TM SGNL app, the heap dump record would person contained his unencrypted Signal messages, too.

A 2024 post connected the unreality information institution Wiz’s blog lists “Exposed HeapDump file” arsenic the fig 1 communal misconfiguration successful Spring Boot Actuator. “Up until mentation 1.5 (released successful 2017), the /heapdump endpoint was configured arsenic publically exposed and accessible without authentication by default. Since then, successful aboriginal versions Spring Boot Actuator has changed its default configuration to exposure lone the /health and /info endpoints without authentication (these are little absorbing for attackers),” the writer wrote. “Despite this improvement, developers often disable these information measures for diagnostic purposes erstwhile deploying applications to trial environments, and this seemingly tiny configuration alteration whitethorn stay unnoticed and thereby persist erstwhile an exertion is pushed to production, inadvertently allowing attackers to get unauthorized entree to captious data.”

In a 2020 post connected Walmart’s Global Tech Blog, different developer gave a akin warning. “Apart from /health and /info, each actuator endpoints are risky to unfastened to extremity users due to the fact that they tin exposure exertion dumps, logs, configuration information and controls,” the writer wrote. “The actuator endpoints person information implications and SHOULD NEVER EVER beryllium exposed successful accumulation environment.”

The hacker’s speedy exploit of TeleMessage indicates that the archive server was severely misconfigured. It was either moving an eight-year-old mentation of Spring Boot, oregon idiosyncratic had manually configured it to exposure the heap dump endpoint to the nationalist internet.

This is wherefore it took a hacker astir 20 minutes of prodding earlier it cracked open, with delicate information spilling out.

Despite this captious vulnerability and different information issues with TeleMessage’s products—most notably, that the Israeli steadfast that builds the products tin entree each its customer’s chat logs successful plaintext—someone successful the Trump medication deployed it to Mike Waltz’s telephone portion helium was serving arsenic nationalist information adviser.