Researchers Found Several Cryptographic Flaws in the Telegram App

  • A team of university researchers has found four ways to attack Telegram’s cryptography.
  • Some of the attacks are theoretically interesting, but not all are simple to execute.
  • Telegram has fixed all issues through regular updates but hasn’t released any security advisories.

A team of researchers from the University of London and ETH Zurich published a paper describing their methods to four attacks against Telegram, relying on weaknesses in the cryptographic system (MTProto 2.0) of the popular instant messaging app. Since Telegram counts over 500 million monthly users who trust it for secure communications, any findings that threaten to break the encryption protocol are crucially important and have potentially wide and deep repercussions.

The four flaws discovered by the boffins are the following:

  1. An attacker can reorder the messages that fly from a client to the server of the platform. The attack is trivial to perform and could cause serious trouble to the user by altering the contents of their messages.
  2. An attacker can detect which messages were encrypted on the client-side and which were encrypted on the server-side. This is an attack that mostly has a theoretical interest rather than a practical significance.
  3. There’s a way to recover some plaintext from encrypted messages from all Telegram clients (Android, iOS, desktop), essentially devastating the confidentiality of the messages exchanged in the platform.
  4. A malicious individual can launch a “man-in-the-middle” attack by leveraging the initial key negotiation between the Telegram client app and the platform’s server. The end result would be to impersonate the server to the client, receiving all messages in a readable form.

Telegram has addressed all of the above as the researchers informed the project’s developers prior to the publication of their paper but have chosen not to issue security advisories at the time of patching. Attack scenarios 1, 2, and 4 have been addressed in version 7.8.1 for Android, 7.8.3 for iOS, and 2.8.8 for Telegram Desktop client apps, while attack number 3 was fixed last month.

Besides the fact that the problems have been fixed now, so you don’t need to worry about anything if you’re using the latest version of the app, we should note that the study proved the strength of MTProto on several occasions. What we would suggest is to use third-party (forks) Telegram clients where the implementation of the encryption protocol may not have been done appropriately. If you trust Telegram for your communications, the official app would be your best bet.

Latest
How to Watch Shetland Season 7 Online From Anywhere
Shetland is back to answer all of the questions that left us hanging at the end of the last series, and you...
Real Madrid Vs Eintracht Frankfurt Live Stream: How to Watch UEFA Super Cup Final Online From Anywhere
The new soccer season is upon us, which means it is time for the UEFA Super Cup Final. Played between the previous...
How to Watch I Am Groot Online On Disney Plus
Marvel's I Am Groot is almost here, which means Marvel fans need to add one more show to their watchlist this summer. We...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]