Researchers found multiple security vulnerabilities in the Telegram encryption protocol that could potentially risk users’ privacy and integrity of messages. Despite the severity, the vulnerabilities were not easy to exploit, though. Telegram has patched the bugs with the latest app releases following the bug report.
Telegram Encryption Protocol Vulnerabilities
A team of cryptographers from ETH Zurich and Royal Holloway, University of London, recently analyzed Telegram’s encryption protocol and found four different vulnerabilities.
Briefly, the most serious of these flaws could allow an adversary to alter the sequence of messages arriving at Telegram servers from a client. This would affect the way messages are transferred to the next client, risking the integrity of communications.
The second vulnerability could let the adversary on the network identify the messages encrypted by the client or server.
Regarding the third bug, it could let an attacker decipher encrypted messages. This vulnerability appeared due to a code present in Android, iOS, and desktop apps. Nonetheless, the researchers deemed it “almost impossible to pull off in practice”. As described,
While this seems alarming, it would require an attacker to send millions of carefully crafted messages to a target and observe minute differences in how long the response takes to be delivered. Nevertheless, if this type of attack were successful it would be devastating for the confidentiality of Telegram messages and, of course its users.
Then, the last vulnerability could let an attacker wage MiTM attacks by impersonating the Telegram server to a client. While being difficult to exploit, this vulnerability raised questions on the security of Telegram servers.
The researchers have shared the details of the flaws in a blog post.
Telegram Patched The Flaws
Upon finding the bugs, the team reached out to Telegram officials regarding the matter. Consequently, the Telegram developers patched the flaws and rolled them out with the latest app releases.
While Telegram appreciated the findings, it disagreed with the researchers’ hypothesis that exploiting the bugs could decipher messages. Hence, it didn’t deem the bugs critical, yet it admitted the potential security risks associated with the flaws.
Nonetheless, since the fixes are already out, Telegram users are presently safe from these exploits.