Knock-off Signal app Mike Waltz was caught using can be hacked in ‘15 to 20 minutes,' report says

Yahoo

19-05-2025

The 'knock-off' Signal app Mike Waltz was caught using, which lacks security guarantees, can be hacked in '15 to 20 minutes,' according to a report.
Days after former National Security Adviser Mike Waltz was caught in photos using a Signal dupe called TeleMessage Signal, or TM SGNL, a hacker broke into the app and was able to access sensitive data. The app, which archives copies of all messages, unlike Signal, was infiltrated easily and within a matter of minutes all thanks to a basic misconfiguration in the app, the hacker told Wired.
'I would say the whole process took about 15 to 20 minutes,' the hacker said. 'It wasn't much effort at all.'
TeleMessage, which has since temporarily suspended its services, had a weak password system and a slew of other issues that allowed the hacker to easily infiltrate.
'I first looked at the admin panel secure.telemessage.com and noticed that they were hashing passwords to MD5 on the client side, something that negates the security benefits of hashing passwords, as the hash effectively becomes the password,' the hacker said.
Hashing is a security measure that transforms plain-text passwords into a seemingly random string of characters, making it difficult to determine the original password. However, TeleMessage used MD5, an inadequate version of the algorithms used to hash passwords, according to Wired.
TeleMessage was also programmed with JSP, an antiquated program to create web apps in Java, which made the hacker realize 'their security must be poor.'
The hacker then utilized Feroxbuster, which locates publicly available resources on a website, to find a vulnerable URL to hack. They were then led to a Java heap dump – a snapshot of the server's memory the moment they loaded the URL – and discovered usernames and passwords of random accounts.
The hacker tried logging into the app with a random pair of credentials they had just gained access to – and eventually hacked into an account with an email address associated with US Customs and Border Protection.
CBP confirmed to Wired that it was a TeleMessage customer.
The hacker was then able to read plaintext chat logs, including internal conversations from Coinbase, a popular crypto trading platform.
Within 15 to 20 minutes, the hacker said they were able to compromise CBP and Coinbase, according to the report.
According to the report, the app uploaded unencrypted messages to archive.telemessage.com before forwarding the messages to the customer's intended destination. This goes against TeleMessage's claims that the app uses 'end-to-end encryption from the mobile phone through to the corporate archive,' according to the report.
Additionally, according to the report, if anyone had loaded the heap dump URL as Mike Waltz was texting on the app, they would have been able to gain access to his encrypted Signal messages as well.
Waltz was Trump's National Security Adviser before being removed from his post and tapped to be the U.S. ambassador to the United Nations.
The shakeup happened after Waltz accidentally added Jeffrey Goldberg, the editor-in-chief of The Atlantic, to a Signal group chat where top Trump officials were discussing imminent U.S. military strikes on Yemen.
Goldberg then reported on what was supposed to be a secret dialogue between officials, including Defense Secretary Pete Hegseth and Vice President JD Vance, causing a scandal for the Trump administration.
Secretary of State Marco Rubio is Trump's acting National Security Adviser until he names an official replacement.