In a striking example of the perils of using unofficial software for sensitive communications, the TeleMessage Signal (TM SGNL) app—a clone of the encrypted messaging service Signal—was compromised in just 15 to 20 minutes by a hacker exploiting basic security flaws.
The Breach
TeleMessage, developed by an Israeli company and recently acquired by U.S.-based Smarsh, was designed to mimic Signal while adding message archiving features for compliance purposes. However, this modification introduced significant vulnerabilities. The hacker accessed a publicly exposed Java heap dump file via a misconfigured Spring Boot Actuator endpoint. This file contained plaintext data, including usernames, passwords, and chat logs.
Security Lapses
The app’s infrastructure relied on outdated technologies like Java Server Pages (JSP) and used weak MD5 hashing for passwords, undermining its security. The exposed heap dump allowed the hacker to retrieve sensitive information from users, including those associated with U.S. Customs and Border Protection and Coinbase.
Implications
This incident underscores the risks of deploying unofficial or modified versions of secure applications, especially within government agencies. The use of TM SGNL by high-ranking officials, including former National Security Adviser Mike Waltz, raises concerns about the vetting processes for communication tools in sensitive environments.
Conclusion
The TeleMessage breach serves as a cautionary tale about the importance of adhering to vetted, secure communication platforms. Modifying encrypted apps for additional features like archiving can inadvertently introduce vulnerabilities, compromising the very security these tools aim to provide.
For a more in-depth analysis, you can watch the following video:
