Hardcoded credentials in the Signal archiving tool used by the White House is a five-alarm security dumpster fire. - ThreadSky

joemenn.bsky.social • 11 days ago

Hardcoded credentials in the Signal archiving tool used by the White House is a five-alarm security dumpster fire.

The source code for the TM SGNL apps (basically a backdoored version of Signal used by Trump officials) is public! Since it's open source, I've pushed it to github for easier research micahflee.com/heres-the-so...

Comments

metaphysicalist.bsky.social•11 days ago

Spies love this one clever trick.

gargolito.bsky.social•11 days ago

joerugola.bsky.social•11 days ago

chrismardell.bsky.social•11 days ago

Wasn’t too far off with this one
https://bsky.app/profile/chrismardell.bsky.social/post/3lo5igf7ifs2x

chrismardell.bsky.social•10 days ago

Really not far off at all
https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/

mbandman.bsky.social•10 days ago

Wouldn’t this be a good topic for the Congressional Oversight Committee to investigate? We would hope that the app and communications process has been properly vetted and cleared. Why not ask the questions? (Yes, I’m being facetious)

jlp2024.bsky.social•11 days ago

Why is it not covered as such?

jda5id.com•11 days ago

Because most editors are both both sides flunkies and tech illiterate.

jlp2024.bsky.social•11 days ago

True but an email server that didn't pose this security threat got the 6 alarm fire treatment for months.....I jest, I know it is all a fucking joke

drgdave.bsky.social•11 days ago

Sorry, I've lost track of all of 5-alarm fires these past 4 months.

midnight-ninja.bsky.social•11 days ago

Minus some unforced errors, that is their goal, to overwhelm and fatigue opposition.

sunshipballon.bsky.social•10 days ago

Errors actually help with that because chaos breeds confusion which hides their otherwise clear intentions

libbyget.bsky.social•11 days ago

Unforced errors is a good way to put that other stuff, ugh. 🤨

maize2man.bsky.social•10 days ago

why use this and not Signal proper?

elisabetk.bsky.social•10 days ago

Because every intelligence agency and their dog are pushing their bait and switches at these guys. It's not like they would notice the difference. "It's like Signal, but better! The description says so!"

williamwillyloman.bsky.social•11 days ago

So, please clarify- it’s a bad thing that anyone in the world can access confidential U.S military communications sent across Signal?

moll.dev•11 days ago

Not quite, the credentials are for sending debug / crash logs to the developers. Although the app is still forwarding all signal messages somewhere to be archived, presumably somewhere the Trump admin controls

williamwillyloman.bsky.social•8 days ago

But, this…

https://www.wired.com/story/tm-signal-telemessage-plaintext-message-archive/

moll.dev•8 days ago

Yeah, I was just referring to the Wordpress credential that was leaked in the app. The rest of the app was unsurprising not very secure and anyone could login and see the archived messages with a bit of work

nortrup.dev•10 days ago

But the contents of debug and crash logs are frequently riddled with sensitive data. If I had a nickel for every time a developer logged sensitive data in debug logs on have Trump crypto bribe money.

I wouldn't be surprised if things like the contents of messages were logged.

audaciousness.bsky.social•11 days ago

Waiting for reports that:

• This is 4-D chess hacker-proof.
• The really sensitive stuff used regular Signal, not the TM version.
• Nothing, because the people who would try to spin it won't even understand.

richs.bsky.social•11 days ago

Depends on what the credentials do and where

cullenskink.bsky.social•11 days ago

Take your point but I think there is no scenario where this even scrapes ‘I guess that’s ok then’ - cos when you have a little access…

richs.bsky.social•11 days ago

Telemetry credentials.

cullenskink.bsky.social•11 days ago

I mean… maybe? Do you feel good about it? Do you feel like Signal engineers were like ‘now harden the surface area if you happen to have credentials a, or b or c’?

richs.bsky.social•11 days ago

I’m not sure what Signal engineers have to do with this

cullenskink.bsky.social•10 days ago

My bad, misread the original code attribution.

I still don't like any credentials being available easily though.

somerandomdave.bsky.social•11 days ago

Or, as we call it for the current administration, "Saturday".

christbot.bsky.social•10 days ago

They unsecured the secure messaging app! 😮 🤦

wrathofgus.bsky.social•11 days ago

Someday I expect a hacker group to dump all of Trump lands signal and WhatsApp messages.

It’s a dumb crew

flavorcryptid.bsky.social•11 days ago

Foreign intelligence agencies used to have to spend years cultivating an Intel source.

Now all they have to do is sit back and allow us to elect the dumbest fucking human beings in existence.

pylos.co•11 days ago

nycgeo.bsky.social•11 days ago

Very legal. Very cool.

fnordpig.bsky.social•11 days ago

These are the people trying to jail Krebs. They get the “experts” they deserve.

magickenslady.bsky.social•11 days ago

Has anyone sourced where the code/app originated? Basically, is this a Russian Intel op and our super smart leaders walked right into it?

diamondlifeca.bsky.social•11 days ago

Israel

ncstarguy.bsky.social•11 days ago

They’re willing participants.

aliawynn.bsky.social•10 days ago

This could reveal state secrets.

nocatsnomasters.bsky.social•11 days ago

*jumps back six feet like a scalded cat at seeing those credentials*

NO! NO! NO! BAD DEVELOPER! BAD BAD DEVELOPER!

downtym.com•10 days ago

It's a good thing that logging systems have never had any privilege escalation or shell code exploits before.

*log4j peaks over the wall*

Ah. Well. Okay then.

cassandraoftroy.bsky.social•10 days ago

Is this a DOGE authored code modification?

brianinnc.bsky.social•11 days ago

Can someone explain this to me like I’m in 5th grade, please?

unchi.org•11 days ago

There are user credentials (e.g. passwords) that the app needs written directly into the source code, rather than having the app fetch those credentials at run time. It's much easier this way for attackers to compromise the application. Huge huge red flag for security hygiene.

northstarsfan.bsky.social•11 days ago

You can use the username and password in the source code to read all the messages that were archived.

blunderalong.bsky.social•11 days ago

The dumb IT guys at govt created their own version of the Signal application and publicly shared the computer code.

Within the code was hard-coded username and password, publicly visible to all.

moll.dev•11 days ago

It’s even dumber, it literally archives every encrypted chat to gmail inbox, I don’t even think the password was used for anything in the app. It’s just forwarding in plaintext

coolguy69420.bsky.social•11 days ago

No, the government didn’t make TM SGNL, some Israeli guys did

ratatouillecat.bsky.social•11 days ago

I can only imagine what the Chinese and Russians are thinking. Between this, the sheer incompetence of Hegseth and Duffy to secure safe air travel, and all the cuts to our country’s intelligence agencies: WE HAVE NEVER BEEN MORE VULNERABLE!

patentlysue.bsky.social•11 days ago

ngl. I believe the admin is doing this FOR the Chinese and Russians.

omicron416.bsky.social•11 days ago

The Russians, yes, or at least one of them — Putin.
If it's to help China it's only because they're allied with Russia.

cullenskink.bsky.social•11 days ago

Holy fucking shit

mgsmylie.bsky.social•11 days ago

I don't ever want to hear any elected republican criticize anyone ever again about anything. No moral authority remains. Not a shred.

true-bird.bsky.social•11 days ago

📌

deebell.bsky.social•11 days ago

I'm not a coder, but this does not look good for the security of the USA.

owl-bear.bsky.social•11 days ago

if this isn't the first thing chatgpt suggested they should use i will eat my hat (only have one hat right now and this will crush me)

libbyget.bsky.social•11 days ago

[starts a GoFundMe to fund a second hat]

infinitely007.bsky.social•11 days ago

Gsus people!!! How is this still happening?

diamondlifeca.bsky.social•11 days ago

It’s on purpose.

ryandleonard.bsky.social•11 days ago

Uh…who does that for any sort of production level code?

bleats.by86400.today•10 days ago

Are we not talking about how this was stuffed onto a Wordpress installation, on top of everything else?

rimaanabtawi.bsky.social•10 days ago

📌

infinitelyloopy.bsky.social•11 days ago

Anytime I hear the word hardcoded I think either non-scalable code or security breach.

dosdogs.bsky.social•11 days ago

That’s why Mike Waltz got fired the next day

bertil.bsky.social•10 days ago

Wasn’t he promoted?
Whatever you call it, the UN is full of people you want to keep secrets from. You need serious security there too.

sferroni.bsky.social•11 days ago

It's a clown show

scsargent.bsky.social•10 days ago

But Hilary’s emails…

mgallagher.bsky.social•10 days ago

Gets worse. https://bsky.app/profile/micahflee.com/post/3loeueb6b2k22

southernspring.bsky.social•11 days ago

That’s super sloppy.

trypectopah.bsky.social•10 days ago

Isn’t there also the strong possibility that the Israeli government has access to every message? Seems bad!

pjcrowley.bsky.social•10 days ago

Are you implying that a former IDF elite intelligence officer might share our data with his government?

texasdfwcowboy.bsky.social•10 days ago

Five alarm dumpster fire definitely. Provenance of the source is key, it's unclear if a third party audit organization (3PAO) validated no backdoors, no hardcoded tokens, passphrase, etc. This is absolutely against DoD, FAR, FASCA, DHS and CISA advice, including NIST. Well, it *WAS*, now who knows

runtimepanic.bsky.social•10 days ago

It's not exactly unclear. That obviously didn't happen.

texasdfwcowboy.bsky.social•10 days ago

Provenance and data lineage analysis not yet performed, so i have to reserve 'unclear' - if anyone else has done so and share their forensics. I don't like to post anything without sourcing, vetting, validating to avoid the echo chamber of just repost inaccurate information.

gamecat235.bsky.social•11 days ago

Do you remember when we had a functioning government with standards for adoption and vetting and experts in fields?

Imagine using this like it’s still *Signal* but then… doing this to it.

Our government is run by incompetent clowns.

icebeard.bsky.social•11 days ago

But for 80 million people, a broken government, a flailing economy and alienating all of our allies is better than letting the brown lady run things.