Many activists, researchers, and even some malicious users see Telegram as an option to establish much more secure communication channels than other options available in the instant messaging market like WhatsApp or Facebook Messenger. According to information security specialists, even some social movements, such as the struggle for democracy in Hong Kong, have received a particular boost through this platform.
Unfortunately, not everything is good news, as a technical flaw has recently been discovered on the platform that could expose the phone numbers of Telegram public group participants; in the case of protests in Hong Kong, this flaw could be exploited by Chinese authorities to anticipate the organization of massive demonstrations and identify the movement’s leaders.
The Telegram groups used to spread the movements of this social struggle are public, so this is not exactly a problem of improper access to a Telegram chat, it is nevertheless a serious information security problem, although this is a more secure messaging platform than the rest, the authorities could be able to compromise the integrity of the activists thanks to the leaked information, violating Telegram’s encryption mechanism.
Chu Ka-Cheong, IT expert based in Hong Kong, revealed the incident via his Twitter account: “We need some help from Telegram. We have been able to confirm the presence of a serious vulnerability that leaks the phone numbers of participants from some public groups, regardless of the security settings of each user,” he says, who also highlights the importance of this platform in the Hong Kong demonstrations.
It is important to mention that, according to some information security specialists, the vulnerability is widely known and very easy to exploit. “This is a risky scenario for activists using Telegram, it could compromise some key actions,” he says.
The flaw was posted on some popular hacking forums in Hong Kong and, as mentioned, exploits public access groups where users have decided to keep their phone number private. To exploit it, thousands of phone numbers can be added to a device that must then be synchronized with Telegram to find matches between stored numbers and private numbers in public groups; “In fact any phone company can exploit this flaw,” adds Chu Ka-Cheong.
Despite being considered more secure than other instant messaging services, Telegram suffers from the same critical security weakness as its counterparts, it resorts to using the phone number as a user ID, although information security specialists claim that this specific flaw had not been identified until a few days ago. For now, the only way to protect you from exploiting this flaw is by modifying your Telegram account settings to “anonymous mode”, although this complicates the use of the platform as a massive information spreading medium.
According to specialists from the International Institute of Cyber Security (IICS) this error cannot be considered a backdoor, as its presence is completely accidental. On the other hand, this flaw has generated new opinions and debates about the security of instant messaging services and the ability of the authorities to intervene in these platforms, either in a purely incidental way, by exploiting vulnerabilities or, in the worst case, forcing the developers of these platforms to install backdoors in order to access confidential information.