TeleMessage’s website was improperly configured, according to a source who contacted Drop Site. The website’s backend exposed users’ unencrypted emails, passwords, usernames, and phone numbers to the public. Following a report by 404 Media that showed the website had been hacked in the past few days, the source pointed out that the company had been publicly exposing user credentials for years—with no hacking required to view them. To confirm the tip, Drop Site used open-source tools to recreate a list of URLs inadvertently left public over the past few years that included exposed credentials.

The origin of the leak appears to be a “Sign Up” page for the service. User credentials were improperly displayed in unencrypted URLs when users logged in and out. Former National Security Advisor Mike Waltz’s credentials do not appear to be visible in the data, but many other user credentials appear to be authentic. A hacker-for-hire from Sri Lanka, an employee at a Spanish wealth management firm, and a Pakistani web developer were found among the leaked users.

“This isn't just normal bad security. This is really having the crown jewels hanging out there,” said Bill Budington, senior staff technologist at the Electronic Frontier Foundation. “If someone was trying to observe best practices, the passwords would be hashed with a salt, meaning they're not revealed in a hash table. This is standard best practice for like 20 years.” Cryptographic hashing transforms some snippet of text (a password, for example) into something that can't be easily deciphered. Salting goes one step further and makes it even harder to look up that text in a pre-generated list. This basic technology can avoid catastrophic disclosures of sensitive user data.

Since TeleMessage was used on an iPhone belonging to Mike Waltz, and likely other high level White House officials, the revelation raises further questions about why an app with connections to Israeli intelligence seems designed to expose users to the risk of a data breach. Visible in the Reuters image of Waltz’s phone are Vice President JD Vance and Director of National Intelligence Tulsi Gabbard.

On Tuesday, Senator Wyden sent a letter to Attorney General Pam Bondi demanding an investigation into “the serious threat to U.S. national security posed by TeleMessage, a federal contractor that sold dangerously insecure communications software to the White House and other federal agencies.” The letter goes on to acknowledge the counterintelligence risks posed by the app.

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option. They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats,” Senator Wyden wrote.

Letter to The DOJ and Pam Bondi on TeleMessage

220KB ∙ PDF file

Download

Download

“The government has no reason to use a Signal knockoff that raises obvious counterintelligence concerns,” Senator Ron Wyden wrote to Drop Site in a statement. “The Navy, NATO and other allied governments already use secure communications tools that comply with record keeping rules. Trump and his national security team might as well post American battle plans on X at this rate.”

Waltz’s use of TeleMessage’s Signal archive app was made public when his phone screen was captured by a Reuters photojournalist. As Drop Site previously reported, the app’s developers are former Israeli intelligence officials, and the staff employed by the company have worked with some of the most notorious Israeli spyware firms.

Though mainstream news outlets have reported on the usage of the app, few have mentioned the connections to Israeli intelligence or the massive counterespionage risk presented. WIRED interviewed former NSA official Jake Williams, who said it was “mind-blowing that the federal government would use Israeli tech to route extremely sensitive data for archival purposes.”

As reported by Unicorn Riot, TeleMessage uses WordPress in its backend servers and to manage its API. As they point out, this may not be unusual for a large telecom services company, but what is unusual is for a company to be charged with handling the personal communications of White House staff. More alarmingly, on May 1, the same day the app was reported to be used by Mike Waltz, a vulnerability was reported by the National Institute of Standards and Technology (NIST) in the Gravity Forms plugin used on the TeleMessage website.

According to NIST, the vulnerability “makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.”

“The possibilities are nearly endless. You can imagine an adversary to one of these agencies, with any sort of skill, already has these messages," Budington told Drop Site.

In short, for a company selling “secure” archiving technology to the White House, TeleMessage appears to have security problems. The hackers who contacted 404 Media claimed it took them less than half an hour to breach the digital walls of the company and extract extremely sensitive internal data, including messages belonging to the DC Metropolitan Police Department and US Customs and Border Patrol.

On Monday, Smarsh, TeleMessage’s parent company, told Wired it was “suspending all services” as it investigates the hack. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended.”

TeleMessage has scrubbed its corporate website of mentions of its Signal archive tool, according to a comparison of archived versions from The Internet Archive. Links on the page do not appear to be functioning at the time of publication. TeleMessage and The White House did not reply to a request for comment.

Do you have more information about the U.S. government’s usage of Signal or TeleMessage? Contact Jason securely on Signal at jpal.01 or via email at jpaladino@proton.me

Leave a comment