A group of researchers from London have found critical vulnerabilities in popular messaging app Telegram, which is used by over 500 million users across the world.
The researchers comprising those from Royal Holloway, University of London, analysed the encryption protocols used by Telegram and highlighted the vulnerabilities in its cloud chats.
Telegram said it acknowledged the vulerabilities highlighted by the researchers and fixed them in its latest update. The platform uses MTProto protocol to secure its cloud chats, something like the Transport Layer Security (TLS), a popular cryptographic standard meant to ensure security of data in transit.
Explaining what they set out the achieve, the researchers said in their study that they launched four attacks on the security protocols used by the popular messaging app and the last one “broke the authentication properties of Telegram’s key exchange, allowing a MitM attack”.
“Telegram uses its MTProto ‘record layer’ – offering protection based on symmetric cryptographic techniques – for two different types of chats. By default, messages are encrypted and authenticated between a client and a server, but not end-to-end encrypted: such chats are referred to as cloud chats,” said the study.
They said though the platform offers end-to-end encryption (E2EE) through a feature called “secret chats”, the cloud chats aren’t encrypted. They then described the methods used to attack Telegram’s security protocol and how they succeeded.
The vulnerabilities gave an adversary the chance to “reorder” messages, said researchers, adding that it can allow the hackers to manipulate Telegram bots. The messaging app uses cloud chats to control several automated bots.
“The latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant,” Telegram wrote in a blog post on Friday.