Unveiling the details behind the Telemessage drama, and methods to access the stored data
Secure Messaging App TeleMessage Hacked, Exposing Sensitive White House Communications
A supposedly secure messaging app used by White House officials, TeleMessage, has been hacked, leading to a massive database dump of their communications. The hack was primarily due to outdated and insecure configurations in the app's software.
The vulnerability, tracked as CVE-2025-48927, was known and listed by CISA in July 2025, indicating active exploitation in the wild. Despite newer versions of Spring Boot, the Java framework used by TeleMessage, disabling this endpoint by default, TeleMessage instances remained misconfigured as late as May 2025. This allowed attackers to extract large amounts of data, including a 410GB database of messages from White House officials.
Security researcher Micah Lee analyzed the Android source code of TeleMessage and found hardcoded credentials for a WordPress API. Lee also obtained a data dump from one of TeleMessage's customers, the US Customs and Border Protection (CBP), including 780 emails of CBP officers.
Other contributing security flaws found included:
- TeleMessage backed up every message to a SQLite database over HTTPS, but the whole database was accessible to attackers once they exploited the exposed endpoint.
- The app’s design to comply with the U.S. Federal Records Act meant messages were stored and backed up in ways that increased attack surface and data exposure risk.
- The TeleMessage source code for the Android version was publicly accessible on the company's website, facilitating reverse engineering and vulnerability discovery by security researchers.
Thus, the hack stemmed from poor operational security practices, insecure default settings in underlying software frameworks, and insecure backup/storage mechanisms. This case underscores that even apps purported to be "secure" can be compromised through outdated components and misconfigurations, especially when they hold sensitive government communications.
TeleMessage is a Signal clone and backed up messages to a server, allegedly to comply with the US Federal Records Act. The messages were easy to find by downloading Java heap dumps from archive.telemessage.com/management/heapdump. Running the command line tool on these dumps revealed many JSON objects containing plain text messages.
In light of this incident, it is crucial for app developers to prioritize security, keep their software up-to-date, and follow best practices for secure configuration and data storage. Government agencies and organisations using such apps should also be vigilant and take necessary measures to protect sensitive information.
- The TeleMessage app, claimed to be secure, was compromised due to poor operational security practices, outdated software components, and insecure backup/storage mechanisms.
- Despite the known vulnerability CVE-2025-48927 and updates in Spring Boot disabling the exploited endpoint, TeleMessage instances remained misconfigured, leading to a breach.
- In the aftermath of the hack, it's essential for app developers to prioritize security, update their software regularly, and adhere to best practices for secure configuration and data storage.
- This general news of a hacked secure messaging app used by White House officials highlights the increased risk of cybersecurity breaches in data-and-cloud-computing technology, particularly in the realm of crime-and-justice and open source software.
