TeleMessage Password Hashing Vulnerability Allowing Low-Effort Attacks

A vulnerability exists in the TeleMessage service, which is a clone of the Signal messaging app, through a date in 2025, due to its reliance on MD5 for password hashing. This weak hashing method exposes users to various attack vectors, including the use of rainbow tables, with minimal computational effort. The vulnerability was highlighted when the app was used by a Trump administration official and subsequently hacked, revealing sensitive user information such as passwords and unencrypted chat logs.

Impact

The vulnerability allows for unauthorized access to user accounts, including those of federal government employees, and exposes plaintext chat logs, which can include sensitive information.

Reproduction

The vulnerability can be reproduced by accessing the TeleMessage admin panel, where passwords are hashed using MD5 on the client side. This weak hashing can be exploited by downloading a Java heap dump from a publicly exposed actuator endpoint, which contains unencrypted passwords and chat logs. The heap dump can be obtained from the archive.telemessage.com domain, taking advantage of the misconfigured Spring Boot Actuator that exposes sensitive data without authentication.