TeleMessage Long-Lived Credential Authentication Vulnerability Allowing Account Compromise

A vulnerability exists in the TeleMessage service, through May 5, 2025, due to the use of long-lived credentials for authentication. These credentials can be reused if discovered by an adversary. This vulnerability was exploited in the wild in May 2025, leading to unauthorized access to user accounts and sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including those of federal government employees. It also exposes sensitive information such as unencrypted chat logs, usernames, passwords, and encryption keys. In the case of the heap dump vulnerability, it could have included real-time Signal messages from users.

Reproduction

The vulnerability can be reproduced by accessing the TeleMessage admin panel, which exposes hashed passwords using the insecure MD5 algorithm. This misconfiguration allows for the extraction of sensitive user information. After obtaining credentials from the exposed heap dump, these can be used to log into the admin panel and access additional sensitive data.