How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

They tried logging into secure.telemessage.com using a pair of these credentials and discovered that they had just hacked a user with an email address associated with US Customs and Border Protection, one of the agencies implementing Trump’s draconian immigration policy. CBP has since confirmed that it was a TeleMessage customer.

After spending a few more minutes digging through the heap dump, the hacker also discovered plaintext chat logs. “I can read Coinbase internal chats, this is incredible,” the hacker said. (Coinbase did not respond to WIRED’s request for comment, but did tell 404 Media that “there is no evidence any sensitive Coinbase customer information was accessed or that any customer accounts are at risk, since Coinbase does not use this tool to share passwords, seed phrases, or other data needed to access accounts.”)

At this point, the hacker says they had spent 15 to 20 minutes poking at TeleMessage’s servers, and had already compromised one of their federal government customers, along with one of the world’s biggest cryptocurrency exchanges.

As I discovered from analyzing TM SGNL’s source code, TeleMessage apps—like the one running on Mike Waltz’s phone—uploaded unencrypted messages to archive.telemessage.com (I call this the archive server), which then forwards the messages to the customer’s final destination. This contradicts TeleMessage’s public marketing material, where they claimed TM SNGL uses “end-to-end encryption from the mobile phone through to the corporate archive.”

The archive server is programmed in Java and is built using Spring Boot, an open source framework for creating Java applications. Spring Boot includes a set of features called Actuator that helps developers monitor and debug their applications. One of these features is the heap dump endpoint, which is the URL the hacker used to download heap dumps.

According to Spring Boot Actuator’s documentation: “Since Endpoints may contain sensitive information, careful consideration should be given about when to expose them.” In the case of TeleMessage’s archive server, the heap dumps contained usernames, passwords, unencrypted chat logs, encryption keys, and other sensitive information.

If anyone on the internet had loaded the heap dump URL right as Mike Waltz was texting using the TM SGNL app, the heap dump file would have contained his unencrypted Signal messages, too.

A 2024 post on the cloud security company Wiz’s blog lists “Exposed HeapDump file” as the number one common misconfiguration in Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default. Since then, in later versions Spring Boot Actuator has changed its default configuration to expose only the /health and /info endpoints without authentication (these are less interesting for attackers),” the author wrote. “Despite this improvement, developers often disable these security measures for diagnostic purposes when deploying applications to test environments, and this seemingly small configuration change may remain unnoticed and thereby persist when an application is pushed to production, inadvertently allowing attackers to obtain unauthorized access to critical data.”

In a 2020 post on Walmart’s Global Tech Blog, another developer gave a similar warning. “Apart from /health and /info, all actuator endpoints are risky to open to end users because they can expose application dumps, logs, configuration data and controls,” the author wrote. “The actuator endpoints have security implications and SHOULD NEVER EVER be exposed in production environment.”

The hacker’s quick exploit of TeleMessage indicates that the archive server was badly misconfigured. It was either running an eight-year-old version of Spring Boot, or someone had manually configured it to expose the heap dump endpoint to the public internet.

This is why it took a hacker about 20 minutes of prodding before it cracked open, with sensitive data spilling out.

Despite this critical vulnerability and other security issues with TeleMessage’s products—most notably, that the Israeli firm that builds the products can access all its customer’s chat logs in plaintext—someone in the Trump administration deployed it to Mike Waltz’s phone while he was serving as national security adviser.