They try to log in secure.telemessage.com Using a pair of credentials, it was discovered that they had just cut off users with email addresses related to U.S. Customs and Border Protection, one of the agencies that implemented Trump’s tough immigration policies. Since then, CBP has confirmed that it is a telecommunication customer.

After spending a few minutes digging the dump, the hacker also discovered the Mingwen chat log. "I can read Coinbase internal chat, which is incredible," the hacker said. (Coinbase did not respond to Wired's request for comment, but did tell 404 media outlets: "There is no evidence to access any sensitive Coinbase customer information or any customer account is risky because Coinbase does not use this tool to share passwords, seed phrases or other required data to access the account.")

At this point, the hackers say they spent 15 to 20 minutes poking on Telemessage’s servers and have compromised a federal government client, as well as one of the world’s largest cryptocurrency exchanges.

As I found from analyzing the source code of TM SGNL, ​​unencrypted messages planned on Telemessage applications (such as those running on Mike Waltz's phone) to Archive.telemessage.com (I call it an archive server) and then forward the message to the client's final destination. This contradicts Telemessage's public marketing material, which claims TM SNGL uses "end-to-end encryption from mobile phones to company profiles."

Archive servers are programmed in Java and are built using Spring Boot, an open source framework for creating Java applications. Spring Boot includes a set of features called executors that help developers monitor and debug their applications. One of these features is the heap dump endpoint, which is the URL that hackers use to download heap dumps.

According to the documentation of Spring Boot executor: "Because endpoints may contain sensitive information, you should carefully consider when to expose them." For Telemessage's archive server, the heap contains usernames, passwords, unencrypted chat logs, encryption keys, and other sensitive information.

If anyone on the internet loads the heap dump URL when texting using the TM SGNL application, the heap dump file will also contain his unencrypted signal message.

A 2024 post on the Wiz blog of cloud security company lists "Naked heapdump files" as the first common misconfiguration in Spring Boot executors. "Until version 1.5 (released in 2017), the /heapDump endpoint was configured to be publicly exposed and by default without authentication. Since then, in later versions, Spring Boot executors have changed their default configuration to reveal only //health and/information endpoints without authentication (those are less interesting to the attacker)," the author wrote. “Despite improvements, developers often disable these security measures when deploying applications to test environments for diagnostic purposes, and this seemingly small configuration change may still be unnoticed, so ignoring the attacker can give the attacker unauthorized access to critical data when the application is pushed to production.”

In an article on Walmart Global Technology Blog in 2020, another developer issued a similar warning. “All executor endpoints, except for /health and /information, are risky to be open to end users because they expose application dumps, logs, configuration data, and controls,” the author writes. “Executor endpoints are secure and should never be exposed in production.”

The rapid exploitation of telemetry by hackers shows that archive servers are not well configured. It either ran the eight-year-old Spring Boot version or someone manually configured it to expose the heap trash port to the public internet.

That's why it took about 20 minutes of hacking outbreaks and then bursting out sensitive data.

Despite this serious vulnerability and other security concerns in Telemessage’s products, most notably, the Israeli company that built the products can access chat logs for all of its customers in a publicity-based manner, but in the Trump administration he deployed it to Mike Waltz’s phone, who is a national security adviser.