Full Report
A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.
Analysis Summary
# Incident Report: Flaw in TM Signal App Exposes User Chat Logs in Plaintext
## Executive Summary
The security of the communication application TeleMessage Signal (TM Signal), used by some high-profile political figures, was severely compromised. A detailed analysis revealed that the app's archiving feature fails to maintain end-to-end encryption, sending message logs to the corporate archive in plaintext. This fundamental flaw allowed the parent company, TeleMessage, direct access to user communications and enabled external attackers to successfully breach the archive, exposing data.
## Incident Details
- **Discovery Date:** Over the weekend preceding May 6, 2025 (related to an initial breach report), with deeper findings published subsequently.
- **Incident Date:** Ongoing security vulnerability, exploitation noted over the weekend.
- **Affected Organization:** TeleMessage (Parent company of TM Signal).
- **Sector:** Communication Technology, Government/Political Figures usage.
- **Geography:** Israeli company with US-based parent/operations (Smarsh).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to the public reporting over the weekend preceding May 6, 2025.
- **Vector:** Exploitation of the corporate archive server used by TM Signal.
- **Details:** An external attacker successfully breached the archive system.
### Lateral Movement
* Not applicable in the traditional network sense; the issue was a failure of encryption architecture rather than internal network traversal following external access. The breach exposed data directly from the storage mechanism.
### Data Exfiltration/Impact
- **Details:** The breach resulted in the exposure of some user messages and other data, confirming that data was being sent unencrypted (plaintext) to the archive under normal operation.
### Detection & Response
- **How it was discovered:** Initial reports of a hack over the weekend, followed by in-depth source code analysis by researcher Micah Lee.
- **Response actions taken:** TM Signal, operated by TeleMessage, imposed a service pause pending investigation.
## Attack Methodology
- **Initial Access:** External breach of the corporate message archive server (exploiting poor security).
- **Persistence:** Not relevant to the core vulnerability; the service architecture itself provided *de facto* persistence of readable logs for the company/attackers.
- **Privilege Escalation:** Not detailed, but the flaw allowed TeleMessage personnel to view plaintext logs, effectively granting them administrative access to the content.
- **Defense Evasion:** The application's marketing claimed end-to-end encryption, which was false, thus evading user expectation of security.
- **Credential Access:** Not specifically detailed, but the archive breach suggests credentials or access controls to the backend storage were compromised.
- **Discovery:** Researcher Micah Lee analyzed the TM Signal Android source code.
- **Lateral Movement:** N/A.
- **Collection:** Message logs were collected by the archiving feature in plaintext.
- **Exfiltration:** Data was exfiltrated by the attacker from the poorly secured archive server and potentially viewable by TeleMessage staff.
- **Impact:** Undermining of the application's core promise of end-to-end encryption.
## Impact Assessment
- **Financial:** Not detailed, but likely involved costs related to service pause, investigation, and reputational damage following acquisition by Smarsh.
- **Data Breach:** User message logs were accessible in plaintext. Data type confirmed to be message content. Scope requires further determination, but the mechanism exposed *all* archived messages.
- **Operational:** TM Signal imposed a service pause pending investigation.
- **Reputational:** Significant damage to the credibility of an application marketed specifically to high-security users (like government officials) who chose it specifically for its supposed "Signal" security guarantees.
## Indicators of Compromise
- **Network indicators:** N/A (Specific URLs/IPs not provided in source).
- **File indicators:** Plaintext message logs found in the corporate archive.
- **Behavioral indicators:** Data transmission between the TM Signal app and the archive server occurring without encryption (plaintext transmission).
## Response Actions
- **Containment measures:** TM Signal paused its service pending investigation.
- **Eradication steps:** Not detailed, but required securing the corporate message archive server.
- **Recovery actions:** Required fixing the fundamental flaw in the archiving feature where encryption was dropped during data transfer to the archive.
## Lessons Learned
- **Key takeaways:** Marketing cryptographic promises (like "End-to-End encryption") must be technically verifiable across the *entire* data lifecycle, including corporate archiving features, which are often overlooked backdoors.
- **What could have been done better:** TeleMessage should have implemented true end-to-end encryption (E2EE) for the archive link or clearly advertised that client-side messaging was being decrypted upon archival, rather than implying E2EE extended to the archive.
## Recommendations
- **Prevention measures for similar incidents:**
1. Mandate independent, comprehensive security audits on any data archiving feature that claims to integrate with E2EE services.
2. Ensure that all data transmission, including backups and corporate archives, is protected by strong, current encryption standards.
3. Avoid marketing contradictory security claims (e.g., using a high-security brand name while operating insecure archival protocols).