Many activists, researchers, and even some malicious users see Telegram as an option to establish much more secure communication channels than other options available in the instant messaging market like WhatsApp or Facebook Messenger. According to information security specialists, even some social movements, such as the struggle for democracy in Hong Kong, have received a particular boost through this platform.
Unfortunately, not everything is good news, as a technical flaw has recently been discovered on the platform that could expose the phone numbers of Telegram public group participants; in the case of protests in Hong Kong, this flaw could be exploited by Chinese authorities to anticipate the organization of massive demonstrations and identify the movement’s leaders.
The Telegram groups used to spread the
movements of this social struggle are public, so this is not exactly a problem
of improper access to a Telegram chat, it is nevertheless a serious information
security problem, although this is a more secure messaging platform than the
rest, the authorities could be able to compromise the integrity of the
activists thanks to the leaked information, violating Telegram’s encryption
mechanism.
Chu Ka-Cheong, IT expert based in Hong Kong,
revealed the incident via his Twitter
account: “We need some help from Telegram. We have been able to confirm
the presence of a serious vulnerability that leaks the phone numbers of
participants from some public groups, regardless of the security settings of
each user,” he says, who also highlights the importance of this platform
in the Hong Kong demonstrations.
It is important to mention that, according to
some information security specialists, the vulnerability is widely known and
very easy to exploit. “This is a risky scenario for activists using
Telegram, it could compromise some key actions,” he says.
The flaw was posted on some popular hacking
forums in Hong Kong and, as mentioned, exploits public access groups where
users have decided to keep their phone number private. To exploit it, thousands
of phone numbers can be added to a device that must then be synchronized with
Telegram to find matches between stored numbers and private numbers in public
groups; “In fact any phone company can exploit this flaw,” adds Chu
Ka-Cheong.
Despite being considered more secure than other
instant messaging services, Telegram suffers from the same critical security
weakness as its counterparts, it resorts to using the phone number as a user
ID, although information security specialists claim that this specific flaw had
not been identified until a few days ago. For now, the only way to protect you
from exploiting this flaw is by modifying your Telegram account settings to
“anonymous mode”, although this complicates the use of the platform
as a massive information spreading medium.
According to specialists from the International
Institute of Cyber Security (IICS) this error cannot be considered a backdoor,
as its presence is completely accidental. On the other hand, this flaw has
generated new opinions and debates about the security of instant messaging
services and the ability of the authorities to intervene in these platforms,
either in a purely incidental way, by exploiting vulnerabilities or, in the
worst case, forcing the developers of these platforms to install backdoors in
order to access confidential information.
