The inside story of the Telemessage saga
www.theregister.com
DEF CON: It turns out no one was clean on OPSEC

It turns out no one was clean on OPSEC DEF CON  On Saturday at DEF CON, security boffin Micah Lee explained just how he hacked into TeleMessage, the supposedly secure messaging app used by White House officials, which in turn led to a massive database dump of their communications.…

  • sbv@sh.itjust.worksEnglish
    1·
    3 days ago

    After “three minutes” of examination, he spotted that the app had hardcoded credentials stored for a WordPress API. Every message sent using the app was backed up to a SQLite database via HTTPS

    It turns out the messages were very easy to find. By repeatedly looking on archive.telemessage.com/management/heapdump anyone could download Java heap dumps of messages, and running the command line tool strings showed a lot of JSON objects, many of which contained plain text messages.

    The heap dump had the good stuff. But what’s the deal with the WordPress API?