Researchers find four problems in Telegram’s cloud
NEW DELHI: A group of researchers at the Royal Holloway, University of London, have found four critical flaws in popular messaging app Telegram.
The platform has often touted security as a key reason for users coming to it. However, while Telegram offers one of the most preferred end-to-end encrypted (E2EE) apps through a feature called secret chats, it also offers regular cloud chats that are not encrypted.
E2EE offers users protection from man-in-the-middle (MITM) attacks, where an attacker places themselves between the sender or receiver of a message and the cloud server that routes that message. E2EE ensures that even a service provider such as WhatsApp or Telegram won’t be able to read messages that users send, which also means that they cannot provide the content of those messages to governments, law enforcement agencies, or others.
Telegram uses a protocol called MTProto to secure its cloud chats, which is the company’s own version of transport layer security (TLS), a popular cryptographic standard meant to ensure security of data in transit. TLS also protects against MITM attacks to an extent, but does not stop servers held by companies such as Telegram from reading these texts when needed.
According to the researchers, Telegram’s cloud chats have a flaw where an adversary on the network can reorder messages. The researchers said they did not know of examples where this vulnerability was exploited, but noted that it can be used by an attacker to manipulate Telegram bots.
The researchers found code in the Android, iOS, and desktop versions of Telegram that could allow attackers to extract plaintext from encrypted messages. Such an attack can be devastating for the platform and its users, but would require a significant amount of work by the attacker. That means that such an attack will be carried out by a significantly motivated attacker such as nation-state backed hacker groups.
This, along with two other flaws, have all been fixed by Telegram, the platform said in a blog post on July 16. “The latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant,” the platform wrote.
Interestingly, while Telegram claimed that the vulnerabilities didn’t allow attackers to decipher text messages, that may not be completely true. The researchers noted that one of the flaws allowed an MITM attack which would allow an attacker to “impersonate” Telegram’s servers and hence “break both the confidentiality and integrity of communication.
On Friday, an international team of computer scientists reported on Friday that they found four cryptographic vulnerabilities in the popular encrypted message app Telegram.
The weaknesses range “from technically trivial and easy to exploit to more advanced and of theoretical interest,” according to the security analysis.