TeleMessage MD5 Hashing Vulnerability in Authentication Process

A vulnerability exists in the TeleMessage service, specifically in the TM SGNL application, which is a clone of Signal. The issue arises because the application relies on client-side MD5 hashing for authentication credentials. This flaw has been exploited in the wild, allowing unauthorized access to user accounts and sensitive data such as plaintext chat logs and encryption keys. The vulnerability is rooted in the use of an outdated and insecure hashing algorithm, combined with a misconfiguration that exposed sensitive information on the server.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including those of federal government employees. It also exposes sensitive information such as unencrypted chat logs, encryption keys, and personal data like usernames and passwords.

Reproduction

The vulnerability can be reproduced by accessing the TeleMessage admin panel, where passwords are hashed using MD5 on the client side. This weak hashing method can be exploited because the hash effectively becomes the password. After identifying this flaw, the archive.telemessage.com domain can be scanned for vulnerable URLs that expose Java heap dumps. Loading these URLs retrieves heap dumps containing sensitive information, including unencrypted chat logs and user credentials, which can be used to gain unauthorized access to accounts.