How Telemessage Signal Pattern App Hacked in 20 Minutes
They tried to log in secure.telemessage.com Using these pairs of credentials, they discovered that they had just hacked users with email addresses related to US customs and border security, one of the agencies implementing Trump’s harsh immigration policies. CBP has that Confirmed That was that he was a customer of Telemesurge.
After spending a few more minutes digging into the heap dump, the hackers also discovered plain text chat logs. “You can read the Coinbase internal chat, which is incredible,” the hacker said. (Coinbase did not respond to Wired’s request for comment, tell me 404 “Because Coinbase does not use this tool to share passwords, seed phrases, or any other data needed to access your account, “There is no evidence that sensitive Coinbase customer information is being accessed or that there is no evidence that your customer account is at risk.”)
At this point, the hackers say they plunged into Telemessage’s server for 15-20 minutes, saying they had already violated one of the world’s largest cryptocurrency exchanges and one of their federal clients.
As I discovered analysis TM SGNL source code, TeleMessage app (such as running on Mike Waltz’s phone) filled with unencrypted messages archive.telemessage.com (This is called an archive server). This forwards the message to the customer’s final destination. This contradicts Telemessage’s public marketing material, claiming that TM SNGL uses “end-to-end encryption from mobile phones to corporate archives.”
The archive server is programmed in Java and is built using Spring Boot, an open source framework for writing Java applications. Spring Boot includes a set of features called actuators that help developers monitor and debug applications. One of these features is Heap dump endpointthis is the URL used by hackers to download heap dumps.
According to Spring Boot Actuator’s document: “The endpoint may contain sensitive information, so you should carefully consider when it is published.” For Telemessage’s archive server, the heap dump contained usernames, passwords, unencrypted chat logs, encryption keys, and other sensitive information.
Mike Waltz was using the TM SGNL app to send text messages, so if someone on the internet loaded the heap dump URL correctly, the heap dump file also contained unencrypted signal messages.
2024 post The blog of cloud security company Wiz lists “Exposed Heapdump Files” as one common misconception of Spring Boot Actuator. “Until version 1.5 (released in 2017), the /heapdump endpoint was published and configured as accessible by default without authentication. Since then, in later versions, the Spring Boot Actuator has changed its default configuration to expose only the /health and /information endpoints for attackers,” the author writes. “Despite this improvement, developers often disable these security measures for diagnostic purposes when deploying applications in their environments. These seemingly small configuration changes remain unaware, pushing applications into production and allowing attackers to gain unauthorized access to critical data.”
2020 post Another developer issued a similar warning on Walmart’s Global Tech blog. “Apart from /Health and /Information, all actuator endpoints can be exposed to application dumps, logs, configuration data and controls, and there is a risk of opening up to end users,” the author writes. “Actuator endpoints have security implications and should never be exposed in production environments.”
A quick exploit of hacker telemedge shows that the archive server was badly misunderstood. I was running an 8 year old version of Spring Boot or someone manually configured the heap dump endpoint to expose it to the public internet.
This is why the hacker took about 20 minutes of protruding before cracking and opening.
Despite this critical vulnerability and other security issues with Telemessage products, in particular, Israeli companies building the products have access to all customer chat logs in plain text.
