Sunday, August 10, 2025
Latest:

Threatshub.org sponsored-Post

The Register

The inside story of the Telemessage saga, and how you can view the data

TH Author

DEF CON On Saturday at DEF CON, security boffin Micah Lee explained just how he hacked into TeleMessage, the supposedly secure messaging app used by White House officials, which in turn led to a massive database dump of their communications.

As possibly the most secure end-to-end encrypted messaging app, Signal is used by everyone from security-conscious journalists to the former White House national security adviser Mike Waltz – although as we saw in the Signalgate saga no security systems can save one from stupidity like adding a journalist to your chat.

Shortly after the Signalgate fiasco, a canny photographer spotted Waltz was using a Signal clone, TeleMessage, which backed up messages to a server, reportedly intended to comply with the US Federal Records Act. Lee decided to investigate and explained to The Register how he managed to crack the system and put a 410GB database of messages online.

“I analyzed the Android source code, which TeleMessage published on their website, although it was kind of hard to find,” he said.

“I spent a while trying to download a copy of the app, because I knew that if I had a copy, I could request the source code or they would be violating the Signal license. But they published the Android source code.”

After “three minutes” of examination, he spotted that the app had hardcoded credentials stored for a WordPress API. Every message sent using the app was backed up to a SQLite database via HTTPS, and a fellow hacker also working on the TeleMessage app backtraced some messages and sent him a data dump from one of TeleMessage’s customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers.

It turns out the messages were very easy to find. By repeatedly looking on archive.telemessage.com/management/heapdump anyone could download Java heap dumps of messages, and running the command line tool strings showed a lot of JSON objects, many of which contained plain text messages.

“TeleMessage advertises that it’s end-to-end encrypted between the phone and their archive server, or wherever they’re at the final archive destination,” he explained. In fact, however, “it’s just plain text messages going through their archive server. If you make a GET request to a specific URL, it hands you a memory dump of everything on the server, and the memory dump includes plain text chat messages.”

The key for Lee was that the app used an open source Java framework called Spring Boot, and applying a debugger to the version used by TeleMessage was at least seven years old. That, and the URL above to get the heap dumps, have now been fixed, but not before a lot of data was downloaded by Lee and others.

The TeleMessage archive is now on the Distributed Denial of Secrets website and he has also written a tool called TeleMessage Explorer so that people can have a look through the messages and find out what its customers, which include JP Morgan, VC firm Andreessen Horowitz, and the Washington DC police force, were talking about.

As for TeleMessage itself, the US Cybersecurity and Infrastructure Security Agency has already issued a warning about two security flaws in the code, which have now been fixed. The company had no comment at time of publication.

As for Lee, he says he has had no pushback from law enforcement over his actions, yet. ®

READ MORE HERE