From Secure to Exposed: How Ghost’s Own Code Led to its Downfall
Law enforcement agencies recently gained access to the encrypted communication platform Ghost, which has been linked to organized crime activities. As a result of the breach, they were able to intercept user messages. Independently of this event, a cybersecurity researcher uncovered vulnerabilities in Ghost’s infrastructure, which allowed him to obtain a list of usernames and support tickets through an unsecured server.
This incident demonstrates that even secure networks created by criminal organizations can be vulnerable to attacks by law enforcement and external hackers. Cybersecurity expert Jamieson O’Reilly from Dvuln remarked that the problems arose when Ghost transitioned to using its own code rather than relying on technologies from major companies.
During his research, O’Reilly discovered publicly exposed login credentials—username and password—on a code-sharing platform similar to GitHub. These credentials belonged to a Ghost developer who was involved in building the platform’s API and web portal. Typically, encrypted communication platforms create such portals so distributors can add new users or manage client devices.
The most severe vulnerability was the discovery of an unprotected API access point. This flaw allowed access to confidential data of more than 1,000 Ghost users, including their names, email addresses, passwords, and subscription expiry dates. Additionally, the researcher gained access to information about the company’s resellers—partners responsible for distributing Ghost’s products.
Encrypted companies often employ a network of distributors who operate in specific regions, passing a portion of the profits back to the company. Such a structure can sometimes lead to conflicts and competition between dealers, and access to reseller data could pose further risks to their operations.
O’Reilly also accessed messages sent to Ghost’s support team. These messages contained requests to reinstall or update apps, as well as inquiries about other messaging platforms like Threema and Signal. The messages indicate that Ghost users are not always able to manage their devices independently and frequently seek technical assistance.
Some of the messages clearly reveal clients’ concerns about being compromised by authorities. In one message, a user asked, “Please confirm whether your app and security system have been breached by the authorities. My law firm urgently needs to assess the situation.” This likely refers to the separate incident of Ghost’s breach by law enforcement agencies.
Since the researcher discovered these vulnerabilities, the Ghost server has become unavailable. However, the data leak had already occurred, potentially compromising the security of many users and partners of the platform. At the time of publication, Ghost’s website displayed a message stating that the FBI had seized the resource, with users instructed to contact the agency for further information.
