After Trump’s NSA Mike Waltz was photographed using the TM SGNL app during a cabinet meeting, the incident set off alarm bells across the global cybersecurity community. Hackers and threat actors scrambled to uncover potential zero-day vulnerabilities in the app. Meanwhile, security researcher Micah Lee began publishing a series of explosive reports that gradually led to the shutdown of TM SGNL’s fragile security.
Now, in what feels like the final nail in the coffin, Lee has published a new exposé in WIRED, detailing how a hacker, who confidentially reached out to him, demonstrated just how easily the app and its users could be compromised.
A Breach Unfolds
The hacker first targeted TeleMessage’s admin portal at secure.telemessage.com and immediately noted an alarming flaw: passwords were being hashed using MD5 on the client side—a deprecated and insecure practice that effectively renders hashing useless. Further probing of the admin panel revealed that the outdated infrastructure was built using JSP (Java Server Pages), a web technology mostly abandoned since the early 2000s. The use of JSP raised immediate red flags about the overall security posture of the platform.
Using feroxbuster, the hacker expanded the attack surface to another TeleMessage domain: archive.telemessage.com. There, they discovered a dangerously exposed endpoint: /heapdump.
Secrets in the Heap
Accessing the /heapdump URL triggered the download of a 150MB Java heap dump, a snapshot of the server’s memory. While this is a standard debugging tool in Java-based applications using Spring Boot, it should never be publicly accessible.
A quick search for the term “password” within the dump yielded results ,usernames and passwords in plaintext. Among them: credentials linked to a U.S. Customs and Border Protection (CBP) employee. CBP later confirmed to reporters that it was indeed a TeleMessage client.
The hacker also found unencrypted internal chat logs, including messages from employees at Coinbase, one of the world’s largest cryptocurrency exchanges. Coinbase told 404 Media that there was no evidence any sensitive customer data had been compromised.
The Bottom Line
All of this exposure of government accounts, plaintext chats, passwords, and even encryption keys was discovered in just 15 to 20 minutes of probing, the hacker claims. And it gets worse. Upon reviewing the TM SGNL source code, the hacker found that messages sent through the app were being uploaded unencrypted to the archive.telemessage.com server, directly contradicting TeleMessage’s marketing claims of end-to-end encryption.
Spring Boot’s documentation warns that features like the heap dump endpoint “may contain sensitive information” and should be carefully protected. TeleMessage failed to heed that advice. The exposed heap dumps contained usernames, passwords, chat logs, encryption keys, and potentially even live message data.
Had a malicious actor accessed the dump while Mike Waltz was using the app during that now-infamous cabinet meeting, they could have intercepted his real-time, unencrypted messages !!
Source:hxxps[://]www[.]wired[.]com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
