[Updated] Telegram may add new option to protect phone number privacy
This story is being continuously updated….new updates are being added at the bottom…..
It is possible that Telegram will support a new privacy mode to allow people to protect their phone number from strangers. The company however refused to comment on the issue that popped-up recently, claiming that the bug cannot be exploited.
Earlier this month, security researchers and members of the “Internet Society Hong Kong” reported an issue in Telegram Messenger that leads to phone number disclosure of millions of people. The issue poses a threat to any Telegram user who is using public chats or channels, rendering it possible to identify user’s phone number, which was believed to be hidden from strangers before.
Yesterday, a new piece of text was added to official “translations” of Telegram Messenger, claiming that there will be a new option for iOS users phone number privacy:
Users who add your number to their contacts will see it on Telegram only if they are your contacts.
There are reasons not to be happy so fast. Firstly, adding such an option to translations is never enough. Telegram will need to update its API, then release an update for all platforms in order for users to be able to enable the option. The option just doesn’t exist yet.
Secondly, it is very unlikely Telegram will enable phone number protection for all users by default. Unlike some other messengers, Telegram does hide your phone numbers from strangers, but at the same time heavily relies on them as on a distribution mechanism. It will use every possibility to spread across your contacts, so you will always know if one of your friends is now using Telegram.
If enhanced privacy will be enabled by default, less people will find each other because finding will require them both have themselves in contacts, which is no good for Telegram’s business ambitions – Pavel Durov is planning to launch his blockchain platform soon and integrate it into the messenger ecosystem.
How serious the vulnerability is?
The basic idea is that anyone can type in a phone number to check if user is registered in Telegram or not. But, surprisingly to many, there appears to be a way to abuse Telegram API limits and “check” millions of numbers extracting useful information – what are unique IDs, usernames, of every active user.
Such an attack will require certain time and resource, not a problem for government agencies.
A theoretical guess first popped up online several years ago. Then, a year ago it was confirmed to work and being sold “as-a-service” to governments. On August 9, 2018, it was discovered by journalists that a little-known Russian company created software “Kriptoscan” and added more than 10 million phone numbers to their database.
For each of them, an internal Telegram user ID, username, profile photo and name was saved to the database. This gives database owner ability to identify most of Russian Telegram users in less than a second, just by looking at their profile in Telegram or reading someone’s forwarded message. Consider Telegram has (officially) less than 7 million active users in Russia in total , they would have checked almost every Russian phone number.
The final proof of the success of the operation appeared two weeks later when other journalists decided to ask the company to identify a user which conceals his identity and only has a username – a short link, only effective inside Telegram. “Kriptoscan” owners kindly provided journalists with the phone number, for free, in return for advertisement.
As they claim, their software is designed to be usable for FSB, Russian state security agency. So it is very reasonable for every Hong Kong activist to stay alert and be ready to be identified by authorities.
The company attempts to promote itself in social networks, responding to message of Chu Ka-chong, who wrote a famous tweet, with a screenshot of their database:
What’s Telegram’s reaction?
On August 23, 2019 Telegram commented on the issue being discussed on the Internet, saying “There is no bug: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts. This means that you must be able to see your contacts who are also using the app”.
With this, Telegram did not comment on the information about possible abuse of their API and protections against repeated checks and possible vulnerability in the legitimate API methods that discloses phone number by request (the issue mentioned in 2018 investigation).
Update 1 (Sept 01)
As per a report, Telegram has decided to safeguard the identity of protesters from Hong Kong or mainland Chinese authorities by giving users an option to disable matching by phone number. You can read more about this here.
Due credits for writing this article: Dmitrij Igorevich
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.