Hackers have reportedly stolen messages from TeleMessage, a messaging application intended for secure communications. Despite its encryption features similar to those of Signal, the platform allows for organizational backups, which undermines security. Thomas Richards of Black Duck highlights the risks posed by accessible stored messages that may not be encrypted. The app's use by Mike Waltz, former national security adviser, added to worries about security. Experts emphasize the importance of rigorous testing for security applications and the limitations of frameworks, as noted by Casey Ellis of Bugcrowd. TeleMessage's services are currently suspended.
This breach is alarming on many levels. Taking a secure messaging application and changing a core functionality such as backing up messages essentially breaks the security model.
Any organization who is looking into a secure messaging application for compliance reasons should do a thorough review of the application. This should include at least a penetration test against the application and a threat model to understand what risks the application could introduce.
Hopefully this will go down in AppSec history as a prime example of why frameworks aren't a silver-bullet security solution. The Signal source code is phenomenal and incredibly robust, however, there are certain things that it can't and won't protect against.
Collection
[
|
...
]