During a recent cabinet meeting, then National Security Adviser Mike Waltz was spotted covertly checking his messages under the table. However, instead of using the official Signal app, which is known for its robust encryption, he was using a clone called TeleMessage Signal (TM SGNL). This app, unlike Signal, archives all messages, compromising their security.
Just two days after the incident, an anonymous hacker reported breaching TeleMessage in a mere 15 to 20 minutes. The hacker attributed their success to a fundamental misconfiguration within the app. They managed to exploit an admin panel of TeleMessage that was poorly secured, revealing user data like email addresses, passwords, and phone numbers.
The hacker specifically noted that TeleMessage was using MD5 for password hashing, a method that significantly weakens security. Additionally, the TeleMessage web application was built using outdated technology that further indicated their security protocols were inadequate. The hacker identified a vulnerable URL on the system, which allowed them to access a Java heap dump file—a snapshot of the server’s memory that included sensitive user data.
By downloading the heap dump and searching for “password,” the hacker uncovered credentials for various users, including one affiliated with U.S. Customs and Border Protection. The hacker also discovered plaintext chat logs revealing private communications from businesses like Coinbase, confirming that they had quickly compromised both a federal agency and one of the largest cryptocurrency exchanges.
TeleMessage’s handling of unencrypted messages also allowed the hacker to read internal discussions, which contradicted the company’s claims of providing end-to-end encryption. The vulnerability stemmed from a specific endpoint in their Java application that exposed such heap dumps without proper security measures. Although newer versions of the framework used (Spring Boot) have remedied this issue, it appears that TeleMessage either failed to update or improperly configured their settings.
In summary, this incident emphasizes the risks associated with using poorly secured messaging applications within sensitive environments, especially when critical government officials are relying on them. Despite the critical flaws identified, TeleMessage had already been deployed on Waltz’s phone during his tenure, raising concerns about the overall security of communication tools utilized by government officials.
