Four critical vulnerabilities found in Telegram cryptography

A research team from ETH Zurich and Royal Holloway published a report detailing the discovery of multiple vulnerabilities in the cryptographic protocol of Telegram, one of the most popular messaging platforms today. The experts completed this analysis using only open source tools and without attacking the application’s systems.

While these flaws do not pose a severe risk to Telegram’s millions of users, this is a sign that the system present on the messaging platform is not as secure as previously thought. Kenny Paterson of ETH Zurich noted that a total of four weaknesses of consideration were found and could be addressed relatively simply.

According to Paterson, the main risk detected is related to the way in which the sequences of messages coming from a client to a Telegram server in the cloud can be manipulated, which could alter the order and even the content of a message sent by a legitimate user.

The second flaw was described as a bug that would allow threat actors on the network to detect which of the two messages is encrypted by a client or a server, something that by design should rule out the cryptographic protocol in Telegram but doesn’t actually happen. However, this flaw has only been analyzed at a theoretical level.

The third bug is found in the iOS, Android, and desktop versions of Telegram, as they contain code that would allow threat actors to intercept plain text messages, although deploying this attack in the wild is virtually impossible, as it required hackers to send millions of specially crafted messages to a target user. While experts rule out a successful attack attempt, they point out that the main mitigation for this scenario is that some metadata in Telegram is randomly selected and kept secret.

Finally, the experts demonstrated that threat actors can deploy a Man-in-The-Middle (MiTM) attack variant in the key negotiation process between the client and the server, which would completely compromise the target user’s communications. This attack is also virtually impossible, as it would require threat actors to send billions of messages to a Telegram server in a minimal time window.

As you may realize, these weaknesses in Telegram’s encryption do not pose an immediate risk to users; however, it is important for the platform to know how to address these potential entry points before malicious hackers can exploit them.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.