Unraveling the Secret Chronicle of Telemessage, with Steps to Access the Stored Data

Unraveling the Secret Chronicle of Telemessage, with Steps to Access the Stored Data

In a shocking turn of events, a security lapse in the TeleMessage app, a supposedly secure messaging platform used by White House officials, has led to a massive data breach. The breach was primarily due to poor security practices, outdated server software, and an exposed debugging endpoint that allowed the download of sensitive in-memory data containing unencrypted messages [1][2][3].

Micah Lee, a renowned security expert, discovered this vulnerability and published the data, leading to the exposure of confidential communications. The app, marketed as offering end-to-end encryption, was found to store messages in plaintext on an archive server, making it easy for attackers to extract and leak sensitive data [1].

One of the key factors contributing to the breach was the use of hardcoded credentials for accessing a WordPress API within the TeleMessage app. Every message sent through the app was backed up to a SQLite database via HTTPS on an archive server [1]. Moreover, a publicly accessible URL on TeleMessage’s archive server allowed anyone to download Java heap dumps—a type of memory dump—containing plain text chat messages, including communications of US government personnel [1].

The app also used an outdated version of the open-source Java framework Spring Boot, at least seven years old, which made it easier for attackers to run debugging tools to extract sensitive JSON objects directly from the heap dumps [1]. This, combined with the other security flaws, enabled hackers to extract and leak massive communication databases from US government customers such as Customs and Border Protection [1][2][3][5].

The breach has raised serious concerns about the security of TeleMessage, a Signal clone that backs up messages to a server, reportedly to comply with the US Federal Records Act. The app has been used by various individuals, including security-conscious journalists and former White House national security adviser Mike Waltz, who was involved in the Signalgate fiasco [6].

Micah Lee analysed the Android source code of TeleMessage, which was published on their website, and found that by repeatedly looking on archive.telemessage.com/management/heapdump, one could download Java heap dumps of messages [4]. In a concerning incident, a hacker working on the TeleMessage app sent Micah Lee a data dump from one of TeleMessage's customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers [1][2][3].

This breach serves as a stark reminder of the importance of robust security practices in the digital age, especially for apps used by government personnel and other high-profile individuals. It is crucial for developers to regularly update their software components, secure their servers, and avoid hardcoding sensitive credentials in their applications.

1. Micah Lee, known for his expertise in cybersecurity, uncovered a substantial security flaw in the TeleMessage app, a supposedly secure messaging platform, leading to a data breach.
2. The TeleMessage app, touted as offering end-to-end encryption, was found to store messages in plaintext on an archive server, making it vulnerable to data extraction and leaks.
3. One of the fundamental issues that contributed to the breach was the use of hardcoded credentials for accessing a WordPress API within the TeleMessage app.
4. Every message sent through the app was backed up to a SQLite database via HTTPS on an archive server, further adding to the vulnerability.
5. A publicly accessible URL on TeleMessage’s archive server allowed the download of Java heap dumps containing plain text chat messages, including those of US government personnel.
6. The app used an outdated version of the open-source Java framework Spring Boot, at least seven years old, which facilitated the running of debugging tools to extract sensitive JSON objects directly from the heap dumps.
7. This combination of outdated software, poor security practices, and exposed debugging endpoints enabled hackers to extract and leak massive communication databases from US government customers like the Customs and Border Protection.
8. The TeleMessage app, which complies with the US Federal Records Act by backing up messages to a server, has been used by individuals including security-conscious journalists and former White House national security adviser Mike Waltz.
9. In a concerning incident, a hacker working on the TeleMessage app sent Micah Lee a data dump from one of TeleMessage's customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers.
10. This breach underscores the significance of robust security practices in the digital age, particularly for apps used by government personnel and high-profile individuals.
11. It is imperative for developers to regularly update their software components, secure their servers, and avoid hardcoding sensitive credentials in their applications to ensure the safety of personal, financial, and business data, regardless of the industry, including finance, wealth-management, banking-and-insurance, fintech, education-and-self-development, career-development, and even sports like football (American football, NFL, NCAA football).

Read also: