Introduction

A recent incident involving a hacker gaining unauthorized access to TeleMessage’s servers has unveiled serious security vulnerabilities. The breach compromises sensitive data linked to a customer account associated with the U.S. Customs and Border Protection (CBP) agency and a major cryptocurrency exchange, Coinbase.

The Breach

Using a pair of credentials, the hacker successfully accessed the TeleMessage platform, quickly exposing the account of a CBP user. CBP subsequently confirmed its association as a TeleMessage client. The attacker reported spending only a brief period—15 to 20 minutes—digging through the heap dump of TeleMessage’s servers before uncovering sensitive chat logs from Coinbase.

In response to inquiries, Coinbase stated, “There is no evidence any sensitive Coinbase customer information was accessed or that any customer accounts are at risk, since Coinbase does not use this tool to share passwords, seed phrases, or other data needed to access accounts.”

Service Vulnerabilities

Through an analysis of TM SGNL’s source code, it became evident that TeleMessage applications—such as the one used by Mike Waltz—upload unencrypted messages to an archive server. This finding contradicts the company’s claims of employing “end-to-end encryption” for their messaging services.

Technical Details of the Exploit

The archive server, designed using Java with Spring Boot, features an Actuator component meant for monitoring and debugging applications. However, as outlined in Spring Boot Actuator’s documentation, exposing such endpoints can lead to serious security risks.

The heap dumps accessed during the breach included usernames, passwords, unencrypted logs, cryptographic keys, and other sensitive information. This misconfiguration suggests the potential for immediate exploitation, where any user who accessed the heap dump URL while a message was being sent could have intercepted unencrypted Signal messages as well.

Common Misconfigurations

A 2024 post from Wiz, a cloud security firm, identified the “Exposed HeapDump file” as a prevalent misconfiguration issue in Spring Boot Actuator. Historically, the heap dump endpoint was publicly accessible without authentication. Though updates have since restricted this access, many developers opt to disable security protocols for diagnostic purposes, inadvertently leaving vulnerabilities in production environments.

Warnings from industry experts highlight the risks associated with exposing actuator endpoints, underscoring the necessity for robust security measures in production setups.

Conclusion

This incident not only highlights critical vulnerabilities within TeleMessage’s systems but also calls into question the practices employed by organizations using its services. The swift and extensive access gained by the hacker serves as a reminder of the importance of securing sensitive data and properly configuring software applications to prevent similar breaches in the future.