Sending Mixed Signals Writeup
Nahamcon 2025
Solved by Starry-lord
This was a deep-dive into the headlines about the picture of Mike Waltz a US government official, the unexpected public exposure of official communications from a custom Signal application.
In the picture, Waltz’s phone screen was visibly displaying a custom Signal app, a critical tool intended for secure official communications.
The content of these supposedly secure communications was publicly accessible. It was leaked because the app’s code was on GitHub, publicly available, and unfortunately holding hard-coded credentials.
Most of the info required to solve this challenge lies within this deep-dive analysis by Micah Lee :
Here’s the source code for the unofficial Signal app used by Trump officials
The email of the person who committed the code with credentials can be found in the article and can be matched with the commit history.
I found the leaked credentials in app/src/tm/java/org/archiver/ArchiveConstants.kt
file within the open-source repository
Third question could be answered by matching the dates with the releases tags.
And finally after answering all the questions correctly we get the flag :
Key Learning & Takeaways
- Open repositories must be scanned continuously for secrets before every commit
- Operational security lapses such as visible screens can hand attackers the exact breadcrumbs they need
- Combining public journalism with version-control forensics (commit diffs, tag timelines, author metadata) is a powerful, low-cost way to validate breaches and attribute responsibility.