- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
It turns out no one was clean on OPSEC DEF CON On Saturday at DEF CON, security boffin Micah Lee explained just how he hacked into TeleMessage, the supposedly secure messaging app used by White House officials, which in turn led to a massive database dump of their communications.…
You must log in or register to comment.
After “three minutes” of examination, he spotted that the app had hardcoded credentials stored for a WordPress API. Every message sent using the app was backed up to a SQLite database via HTTPS
…
It turns out the messages were very easy to find. By repeatedly looking on archive.telemessage.com/management/heapdump anyone could download Java heap dumps of messages, and running the command line tool strings showed a lot of JSON objects, many of which contained plain text messages.
The heap dump had the good stuff. But what’s the deal with the WordPress API?