During a recent cabinet meeting, President Donald Trump’s then national security adviser, Mike Waltz, must have been bored. Apparently unaware of the photographer behind him, he was caught clandestinely checking his Signal messages under the table.Only he wasn’t using the official Signal app, which is widely considered to be the gold standard of encrypted messaging apps. He was actually using a clone of Signal called TeleMessage Signal, or TM SGNL. This app, made by TeleMessage (which was recently acquired by Smarsh), works in almost exactly the same way as Signal, except that it also archives copies of all the messages passing through it, shattering all of its security guarantees.Two days after the photo of Waltz was published, an anonymous source told me that they had hacked TeleMessage. “I would say the whole process took about 15 to 20 minutes,” the hacker said, as Joseph Cox and I reported in 404 Media. “It wasn’t much effort at all.” Representatives from TeleMessage and Smarsh did not respond to a request for comment.
The exploit that the hacker used was incredibly simple. At the time, we chose not to publish any details about it because it would be so easy for others to replicate. Since then, TeleMessage has temporarily suspended all services, which is now why WIRED can share exactly how this hack took place without risking anyone’s private data.“I first looked at the admin panel secure.telemessage.com and noticed that they were hashing passwords to MD5 on the client side, something that negates the security benefits of hashing passwords, as the hash effectively becomes the password,” the hacker said. (Hashing is a way of cryptographically obfuscating a password stored on a system, and MD5 is an inadequate version of the algorithms used to do so.) Drop Site News has since reported that it appears that this admin panel exposed email addresses, passwords, usernames, and phone numbers to the public.
The weak password hashing, and the fact that the TeleMessage site was programmed with JSP—an early 2000s-era technology for creating web apps in Java—gave the hacker “the impression that their security must be poor.” Hoping to find vulnerable JSP files, the hacker then used feroxbuster, a tool that can quickly find publicly available resources on a website, on secure.telemessage.com.The hacker also used feroxbuster on archive.telemessage.com, another domain used by TeleMessage, which is where they discovered the vulnerable URL, which ended in /heapdump.When they loaded this URL, the server responded with a Java heap dump, which is a roughly 150-MB file containing a snapshot of the server’s memory at the moment the URL was loaded.The hacker said they “knew from past experience that heap dumps from web servers” will include the “bodies” of http requests, they said, “and this may include credentials of users logging in.” And for TM SGNL, they did. By downloading a heap dump and then searching for “password,” the hacker could see usernames and passwords of random users.