Hackers have claimed to steal messages from TeleMessage, a mobile chat application like Signal. While TeleMessage offers an encryption service similar to that of Signal, it also enables organizations and government agencies to back up chat copies for compliance purposes. 

Expressing concern over the nature of the breach, Thomas Richards, Infrastructure Security Practice Director at Black Duck, states, “This breach is alarming on many levels. Taking a secure messaging application and changing a core functionality such as backing up messages essentially breaks the security model. Users want secure messaging for privacy, and it now appears that the messages stored were not encrypted. This creates a security risk for users of the application as their sensitive information could be, and has been, compromised.”

This app was apparently used by Trump’s former national security adviser, Mike Waltz, to archive group chats. Waltz’s use of the app has caused some concerns about the security of his communication methods, especially following his accidental inclusion of a journalist into a Signal chat. 

“Any organization who is looking into a secure messaging application for compliance reasons should do a thorough review of the application,” Richards recommends. “This should include at least a penetration test against the application and a threat model to understand what risks the application could introduce. I would also encourage organizations to ask the developers to produce evidence of internal penetration testing along with an internal threat model to validate their claims of security and privacy.”

At this time, the app has temporarily suspended its services.

Casey Ellis, Founder at Bugcrowd, remarks, “Hopefully this will go down in AppSec history as a prime example of why frameworks aren’t a silver-bullet security solution. The Signal source code is phenomenal and incredibly robust, however, there are certain things that it can’t and won’t do for security reasons. When user demand is great enough, developers will hack things to create unorthodox and insecure solutions like this one. The same thing happens in enterprise and government application development all the time, and this whole debacle is a solid reminder of the importance of runtime application testing and following security policy when it counts.”