A group of researchers based in London have revealed that the popular messaging application Telegram had some serious security flaws. Telegram, one of the best WhatsApp alternatives, has over 500 million users on both iOS and Android operating systems.
The Royal Holloway researchers suggested that Telegram had vulnerabilities in Cloud Chats. The platform, by default, offers non-E2EE (End to End Encryption) chats while the users who are more worried about their privacy can always opt-in for End to End Encryption for individual chats. The vulnerabilities were found in non-E2EE chats.
Together with Lenka Mareková, @kennyog and Igors Stepanovs, we took a deep dive into @telegram’s symmetric cryptography: “Four Attacks and a Proof for Telegram” to be presented at @IEEESSP 2022. https://t.co/60sSPD07Hq 🧵 by @kennyog and me: pic.twitter.com/jn5P72kWS9July 16, 2021
Researchers claim that the loophole allowed interlopers to access the messages that have already been sent and rearrange the words which could result in a different message. Additionally, hackers were able to extract the chat transcript in a readable format from iOS, Android and desktop apps, even if the messages were sent via encrypted mode.
This vulnerability could also be used to manipulate “Bots” on the messaging platform. Bots, on Telegram, are used to manage groups and automate basic tasks.
The flaws were shared with Telegram ahead of revealing them to the public, hence giving Telegram enough time to fix them.
Telegram, on the other hand, has acknowledged the issues highlighted by the researchers and has fixed the flaws already. In a prepared statement updated on Telegram’s official blog, it says “The latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant. Overall, none of the changes was critical, as no ways of deciphering or tampering with messages were discovered.”
Telegram has released an updated version with a fix in place. Both the researchers and Telegram have advised users to update the application on their devices from the respective app repositories.