Micah Lee demonstrated how he hacked the TeleMessage app, used by White House officials, successfully accessing a database containing 410GB of messages. TeleMessage, intended to be secure, actually stored hardcoded credentials for a WordPress API and backed up messages to a SQLite database. Within minutes of analyzing the open-source Android code, Lee discovered vulnerabilities. Messages could be easily accessed by anyone through public links that provided Java heap dumps. This incident highlights the risks of poor security practices in supposedly secure messaging platforms.
"I analyzed the Android source code, which TeleMessage published on their website, although it was kind of hard to find," he said.
"After three minutes of examination, I spotted that the app had hardcoded credentials stored for a WordPress API."
"Every message sent using the app was backed up to a SQLite database via HTTPS, and a fellow hacker also working on the TeleMessage app backtraced some messages and sent him a data dump from one of TeleMessage's customers."
"It turns out the messages were very easy to find. By repeatedly looking on archive.telemessage.com/management/heapdump anyone could download Java heap dumps of messages."
Collection
[
|
...
]