HackedIN: Ghost in the wires ?? (in Australia, even criminal telcos have crappy APIs)

Introduction

In September 2024, GhostChat—an encrypted communication platform used by criminal enterprises—was taken down in a global law enforcement operation.

While the takedown was a well-coordinated, separate effort by law enforcement, my post-mortem analysis revealed that GhostChat had numerous critical vulnerabilities even before law enforcement intervention.

Background - The Takedown

GhostChat had been operational since 2015, with law enforcement targeting it starting in 2022.

The Australian Federal Police (AFP), along with global partners, infiltrated the network via malware introduced through software updates.

However, upon investigating the platform post-takedown, I discovered additional security flaws that were entirely unrelated to law enforcement’s approach. These flaws could have been exploited by criminals or other actors.

Vulnerabilities Exposed Post-Takedown

Here’s a breakdown of the critical vulnerabilities I discovered after GhostChat had already been compromised by authorities.

Exposed Development Environment

A GhostChat developer exposed passwords and API credentials in a public source-code repository.

This included information about the development server, which could be accessed publicly.

Unauthenticated API Endpoints

I found multiple API endpoints that required no authentication at all, exposing sensitive data.

For example, the /request_accounts/ API call allowed me to retrieve a list of over 1,000 GhostChat user accounts, including PGP emails, screen names, device IDs, and license expiration dates.

Internal Support Messages Exposed

Through the exposed support API, it was also possible to view internal customer support messages.

These messages revealed that users frequently requested administrators to install various applications on their devices remotely, demonstrating GhostChat’s supply chain vulnerability.

While convenient, this remote-install functionality was a glaring security hole.

Key Lessons for Companies

The vulnerabilities I discovered are not unique to GhostChat.

They represent broader security failures that any company could face if they do not prioritise basic security hygiene. Here are the core lessons for companies:

Secure Development Practices

Public repositories must be carefully managed to prevent the exposure of sensitive data. Developer credentials, API tokens, and server details should never be publicly accessible.

API Security

Authentication and authorisation should be mandatory for all API endpoints. Unauthenticated APIs can leak valuable information that could be exploited by adversaries or used for intelligence gathering.

Supply Chain Vulnerabilities

Centralised control over user devices, such as the ability to push updates or install apps remotely, should be tightly controlled and audited. Any weakness in this process could introduce significant security risks.

Proactive Monitoring

Regular audits of development environments, server configurations, and external vendor access are critical to prevent the kind of exposure that occurred with GhostChat.

Conclusion

GhostChat’s vulnerabilities provide critical lessons for both the private sector and law enforcement.

For companies, the message is clear.

Even sophisticated platforms can fall prey to basic security failures if not properly managed.

For law enforcement, these vulnerabilities offer insight into how exploitable weaknesses in platforms can provide operational advantages in intelligence gathering and criminal investigations.