DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage
93 comments
·May 20, 2025Aurornis
mingus88
Can you imagine co-opting a trusted and secure (and free) bit of software and just making it worse at seemingly every turn?
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
hypeatei
Why would the company be embarrassed? The users (i.e. high level U.S. officials) did no due diligence. Of course a private company is going to take the easiest and cheapest route. If it goes bad, just shut down and spin up a new entity.
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
n2d4
> Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
dylan604
>Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
Which does not bode well for the customers' counter intelligence abilities
donnachangstein
> The users (i.e. high level U.S. officials) did no due diligence.
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.
null
kube-system
The changes to the application are intentional by all parties because message archiving was required by law.
brookst
Sure, but they were not required to be done incompetently and insecurely.
_kb
Well, I suppose technically this /heapdump endpoint does satisfy that archive requirement.
HenryBemis
(read with sarcastic tone) But hey, this is a 'lite' version or a 'red' version (icon is red) or a 'purple' version (icon is purple), so I am cooler that then others that have the standard.
I haven't used WhatsApp for 'a very long time' as I have exited the FB ecosystem, but back in the day I remember seeing "lite" or "WhatsApp+" or other variations of the software. I wouldn't be surprised that those "lite" or "+" come with baggage.
barbazoo
Aren’t those Israeli software companies all supposed to be top notch, ex Mossad, yadda yadda? Doesn’t sound like it.
I hope the message dump is juicy.
msy
And SBF of FTX fame was ex-Jane St so obviously was a serious finance professional. This is why using past employers as a shorthand for capability is unwise.
treebeard901
After all the concern over China and TikTok, why is the USG using a foreign chat program at all?
gruez
I thought Israel has mandatory military service, so ex-mossad or ex-military signals intelligence doesn't really say much? Presumably they're directing people based on their skill set, so you'd expect most hackers to end up in mossad for their mandatory service.
underdeserver
"All supposed to be".
This is a country of 10 million people, a rather heterogeneous one at that. There are going to be better and worse companies.
viraptor
That's not a great generalisation for the whole country. How many ex Mossad people interested in doing actual implementation in tech companies do you think there are? It's like "aren't those US software companies all supposed to be top notch, ex NSA yadda yadda?"
conradev
They do start a lot of tech companies specifically: https://en.wikipedia.org/wiki/Unit_8200#Companies_founded_by...
The US only has voluntary military service, so the dynamics are different
lysp
The CEO/Founder of TeleMessage Guy Levit was the head of the Planning and Development Department of an elite technical unit in the Intelligence Corps of the IDF according to bio.
oceanplexian
One problem that smart people tend to make is in thinking that being really smart in one area is generalizable to all others. Just because they're good at AppSec doesn't mean they're good at networking or operating a webserver.
ripley12
I agree with this. It's surprising how often I encounter people with that belief, because I was disabused of it very early on in my career; this industry is chockablock with people who are brilliant in 1 area and deficient in others.
karn97
That sounds more like a stupid person than smart lol
Calwestjobs
[flagged]
basilgohar
This article doesn't mention Mossad, though. Do you have any other sources?
jfim
Sounds like someone had a Java app and mistakenly exposed all of the JMX endpoints over HTTP. It's not the default configuration, and likely done out of carelessness.
pigbearpig
From the Wired article, it may not have even been a mistake, depending on the version of Spring Boot.
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
formerly_proven
This was also part of the exploit chain in the "Volksdaten" incident.
0xbadcafebee
Or intentionally. There could be an APM agent which just lets you run heap dumps any time you want, or they enabled heap-dump-on-crash, or had a heap dump shutdown hook, etc. There's a lot of ways to trigger dumps. If we're talking about a full dump, and the apps were using most of the memory allocated to their container/VM/etc, 410GB is actually not that many dumps (we're probably talking uncompressed). At 4GB/dump, that's around 100, over possibly several years.
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
jfritsch1984
We‘re doing something way less critical at my job. But we have two pentests per year by external companies. How on earth is this level of incompetence even legal.
eskibars
It's not
greyface-
It's been weeks since the initial TeleMessage revelation... has the Signal Foundation responded in any way to the news? They condemn open source third-party clients and threaten trademark litigation when people use the "Signal" name in interop projects. Meanwhile, total silence when a defense contractor does the same thing.
ethersteeds
The charitable answer is that organizations across US society are currently all trying to be very still and quiet and not do anything to provoke a vindictive assault by this administration.
The less charitable one is that Moxie was the opinionated and uncompromising core of the Signal Foundation and has been removed from the board and completely vanished from the public eye. What it stands for now is a touch less clear.
th0ma5
You're making me wonder if Signal is the customer of the third party and not the government.
willmarquis
Exposing unauthenticated /heapdump endpoints in production is a rookie mistake-especially for a service handling sensitive government comms. The presence of MD5 hashes and legacy tech like JSP just adds to the picture of poor security hygiene. This breach is a textbook case of why defense-in-depth and regular audits are non-negotiable.
0xbadcafebee
> Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
3036e4
They don't need to "silence journalists", since a large number of people were duped to think real truth comes from random anonymous accounts on social media or from some charismatic political influencer they follow. It doesn't matter what leaks are exposed when it can just be handwaved as "fake news" and enough voters will buy that.
CobrastanJorji
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
fumeux_fume
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have lie and cover up the truth of the <horrible violence> being done to them so they'll never see how bad things have gotten."
Lying to people in order to make them never see how they are being hurt is almost never the right call.
rtpg
I feel like it's valuable to not flatten the context here. We are talking about leaking texts by the Trump admin (and I guess some law enforcement agencies using this?).
There is a lot of daylight between dropping a bunch of texts for government officials and committing horrible violence against people as a whole! These are not the same thing! One could be good/fine while the other is bad!
Having said that I would worry for a WikiLeaks-style "oh now this random person's info is out there because it was in one of these e-mails".
I just want to see the gossip
scheeseman486
You're describing accelerationism and while the ethics behind it are iffy at best, history contends that it does work to help spur revolution.
TechDebtDevin
What if you're hurting people to prevent them from hurting people...
oivey
That quote does not say anything about citizens inflicting pain on others. That’s such a strange way to read it. It’s saying to vote shitty leaders out. I’m not sure what you think any other possible alternative there could be.
afavour
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
protocolture
Completely agree.
We had the Cabinet Leaks in Aus https://www.abc.net.au/news/2018-01-31/cabinet-files-reveal-...
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
WatchDog
Great example to use whenever legislators want to ban or add backdoors to e2e encryption.
TechDebtDevin
Yeah no thanks, not donating to gate keepers who want to maintain the status quo. I'll give my coin to wiki leaks and groups with balls.
runlevel1
"clean on OPSEC"
- Pete Hegseth
That line simultaneously becomes funnier and more depressing.
treebeard901
"We are currently clean on OPSEC"
goalieca
Security standards need to start banning heap dumps.
null
GuinansEyebrows
Something tells me that wouldn’t make a huge difference in some of these companies opsec.
zombiwoof
If no one will persecute criminals they will keep breaking all laws
bob_theslob646
Isn't it against the law in the United States to use outside channels for government communications? Wasn't this the whole scandal about Clinton? Please correct me if I am wrong.
afavour
Amazingly the app is on the governments list of approved apps. The scandal is what they’re discussing on there: highly sensitive information you normally go to very secure channels to talk about.
rtpg
My understanding is that it was added fairly recently at that, and already this has happened. This must be a record time in "change of policy leading to the most embarassing result". Only a couple of months!
floam
The app exists to comply with the regulations, was my understanding.
null
So one of their servers had a /heapdump endpoint that publicly served a heap dump of the server? This whole saga is out of control.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.