The inside story of the Telemessage saga, and how you can view the data

#### [Security](/security/)**4** The inside story of the Telemessage saga, and how you can view the data=======================================================================**4** It turns out no one was clean on OPSEC————————————–[Iain Thomson](/Author/Iain-Thomson ‘Read more by this author’) Sun 10 Aug 2025 // 00:30 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data) [](https://twitter.com/intent/tweet?text=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&summary=It%20turns%20out%20no%20one%20was%20clean%20on%20OPSEC) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) DEF CON On Saturday at DEF CON, security boffin Micah Lee explained just how he hacked into TeleMessage, the supposedly secure messaging app used by White House officials, which in turn led to a massive database dump of their communications.As possibly the most secure end-to-end encrypted messaging app, Signal is used by everyone from security-conscious journalists to the former White House national security adviser Mike Waltz – although as we saw in the [Signalgate saga](https://www.theregister.com/2025/04/25/signalgate_lessons_learned_if_creating/) no security systems can save one from stupidity like adding a journalist to your chat.Shortly after the Signalgate fiasco, a canny photographer spotted Waltz was using a Signal clone, [TeleMessage](https://www.theregister.com/2025/05/05/telemessage_investigating/), which backed up messages to a server, reportedly intended to comply with the US Federal Records Act. Lee decided to investigate and explained to *The Register* how he managed to crack the system and put a 410GB database of messages online. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJht6RJz1rJYjRB6z8MFtwAAAAQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’I analyzed the Android source code, which TeleMessage published on their website, although it was kind of hard to find,’ he said. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJht6RJz1rJYjRB6z8MFtwAAAAQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)’I spent a while trying to download a copy of the app, because I knew that if I had a copy, I could request the source code or they would be violating the Signal license. But they published the Android source code.’After ‘three minutes’ of examination, he spotted that the app had hardcoded credentials stored for a WordPress API. Every message sent using the app was backed up to a SQLite database via HTTPS, and a fellow hacker also working on the TeleMessage app backtraced some messages and sent him a data dump from one of TeleMessage’s customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJht6RJz1rJYjRB6z8MFtwAAAAQ&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)It turns out the messages were very easy to find. By repeatedly looking on archive.telemessage.com/management/heapdump anyone could download Java heap dumps of messages, and running the command line tool strings showed a lot of JSON objects, many of which contained plain text messages.’TeleMessage advertises that it’s end-to-end encrypted between the phone and their archive server, or wherever they’re at the final archive destination,’ he explained. In fact, however, ‘it’s just plain text messages going through their archive server. If you make a GET request to a specific URL, it hands you a memory dump of everything on the server, and the memory dump includes plain text chat messages.’The key for Lee was that the app used an open source Java framework called Spring Boot, and applying a debugger to the version used by TeleMessage was at least seven years old. That, and the URL above to get the heap dumps, have now been fixed, but not before a lot of data was downloaded by Lee and others.* [CISA warns the Signal clone used by natsec staffers is being attacked, so patch now](https://www.theregister.com/2025/07/02/cisa_telemessage_patch/)* [TeleMessage security SNAFU worsens as 60 government staffers exposed](https://www.theregister.com/2025/05/26/security_in_brief/)* [Signal chat app clone used by Signalgate’s Waltz was apparently an insecure mess](https://www.theregister.com/2025/05/05/telemessage_investigating/)* [Signalgate lessons learned: If creating a culture of security is the goal, America is screwed](https://www.theregister.com/2025/04/25/signalgate_lessons_learned_if_creating/)The TeleMessage archive is [now on](https://ddosecrets.com/article/telemessage) the Distributed Denial of Secrets website and he has also written a tool called [TeleMessage Explorer](https://micahflee.com/telemessage-explorer-a-new-open-source-research-tool/) so that people can have a look through the messages and find out what its customers, which include JP Morgan, VC firm Andreessen Horowitz, and the Washington DC police force, were talking about.As for TeleMessage itself, the US Cybersecurity and Infrastructure Security Agency has already [issued a warning](https://www.theregister.com/2025/07/02/cisa_telemessage_patch/) about two security flaws in the code, which have now been fixed. The company had no comment at time of publication.As for Lee, he says he has had no pushback from law enforcement over his actions, yet. ® [Sponsored: Riding the AI current: why leaders are letting it flow](https://go.theregister.com/tl/3222/shttps://www.theregister.com/2025/08/06/riding_ai_current_why/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data) [](https://twitter.com/intent/tweet?text=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&summary=It%20turns%20out%20no%20one%20was%20clean%20on%20OPSEC) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Data](/Tag/Data/)* [Security](/Tag/Security/)* [Signal](/Tag/Signal/) More like these × ### More about* [Data](/Tag/Data/)* [Security](/Tag/Security/)* [Signal](/Tag/Signal/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cross-border data flow](/Tag/Cross-border%20data%20flow/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Grafana](/Tag/Grafana/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Encryption](/Tag/Encryption/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data) [](https://twitter.com/intent/tweet?text=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20inside%20story%20of%20the%20Telemessage%20saga%2c%20and%20how%20you%20can%20view%20the%20data&summary=It%20turns%20out%20no%20one%20was%20clean%20on%20OPSEC) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/telemessage_archive_online/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **4** COMMENTS #### More about* [Data](/Tag/Data/)* [Security](/Tag/Security/)* [Signal](/Tag/Signal/) More like these × ### More about* [Data](/Tag/Data/)* [Security](/Tag/Security/)* [Signal](/Tag/Signal/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cross-border data flow](/Tag/Cross-border%20data%20flow/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Grafana](/Tag/Grafana/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Encryption](/Tag/Encryption/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Security pros are drowning in threat-intel data and it’s making everything more dangerousPlus, 60% don’t have enough analysts to make sense of itCSO13 days -| 17](/2025/07/28/security_pros_drowning_in_threatintel/?td=keepreading) [#### Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessityComment Tells *The Reg* China’s ability to p0wn Redmond’s wares ‘gives me a political aneurysm’CSO2 days -| 25](/2025/08/08/exwhite_house_cyber_and_counterterrorism/?td=keepreading) [#### When hyperscalers can’t safeguard one nation’s data from another, dark clouds are aheadOpinion If it’s not on-prem, it’s on the menuCloud Infrastructure Month6 days -| 41](/2025/08/04/when_hyperscalers_cant_safeguard_one/?td=keepreading) [#### How homegrown AI cuts through the hype to deliver real resultsNutanix leverages customer interactions to develop GenAI infra solution and the AI tools to support itSponsored feature](/2025/05/15/nutanix_homegrown_ai/?td=keepreading) [#### Hacker summer camp: What to expect from BSides, Black Hat, and DEF CONThese are the conference events to keep an eye on. You can even stream a fewSecurity5 days -| 9](/2025/08/05/bsides_blackhat_defcon_preview/?td=keepreading) [#### Top spy says LinkedIn profiles that list defense work ‘recklessly invite attention of foreign intelligence services’Workers on joint US/UK/Australia nuclear submarine program are painting a target on themselvesCyber-crime9 days -| 45](/2025/08/01/asio_espionage_social_media_warning/?td=keepreading) [#### Python-powered malware snags hundreds of credit cards, 200K passwords, and 4M cookiesPXA Stealer pilfers data from nearly 40 browsers, including ChromeCyber-crime6 days -| 7](/2025/08/04/pxa_stealer_4000_victims/?td=keepreading) [#### Microsoft spotlights Apple bug patched in March as SharePoint exploits continueLook over there!Patches12 days -| 1](/2025/07/28/microsoft_spots_apple_bug/?td=keepreading) [#### Microsoft researchers bullish on AI security agent even though it let 74% of malware slip throughUPDATED Project Ire promises to use LLMs to detect whether code is malicious or benignAI + ML4 days -| 7](/2025/08/06/microsofts_ai_agent_malware_detecting/?td=keepreading) [#### China says US spies exploited Microsoft Exchange zero-day to steal military infoSpy vs. spyCSO9 days -| 10](/2025/08/01/china_us_intel_attacks/?td=keepreading) [#### Patch now: Millions of Dell PCs with Broadcom chips vulnerable to attackblack hat Psst, wanna steal someone’s biometrics?Patches5 days -| 20](/2025/08/05/millions_of_dell_pc_with/?td=keepreading) [#### Microsoft, CISA warn yet another Exchange server bug can lead to ‘total domain compromise’No reported in-the-wild exploits…yetPatches3 days -| 4](/2025/08/07/microsoft_cisa_warn_yet_another/?td=keepreading)

Related Tags:
NAICS: 517 – Telecommunications

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 51 – Information

Sodinokibi

REvil

Sodin

WanaCrypt0r

Associated Indicators:
null

Threat Intel Solutions

The inside story of the Telemessage saga, and how you can view the data

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us