The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
The product makes files or directories accessible to unauthorized actors, even though they should not be.
Link | Tags |
---|---|
https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/ | press/media coverage |