UPDATE: Telegram says it's not a vulnerability, but a feature. An update with a clarification from Telegram is given at the bottom of this article.
A discovery by software engineer Chu Ka-Cheong and others, warns of a Telegram vulnerability that is allegedly leaking the phone numbers of public group members, even if their privacy settings shouldn't allow this.
“Need help from @telegram. We and multiple teams have independently confirmed a serious vulnerability that causes phone numbers to be leaked to members in public groups, regardless of the privacy setting. Telegram is heavily used in #hkprotest, it put HKers in immediate threats,” tweeted Chu Ka-Cheong.
The bug is already public and it is very easy to exploit. It is posting real dangers to #hkprotests who heavily use @telegram to coordinate our demonstrations and actions. We are writing up the bug here. Need help from @durov https://t.co/Z2bTjs7KkC
— Chu Ka-cheong (@edwincheese) August 23, 2019
A document published on Google Drive describes Telegram’s vulnerability, and a team of independent software engineers based in Hong Kong have extensively tested the bug.
The bug was made public on a popular Hong Kong discussion forum that protestors use to communicate.
The bug has a high impact and a low attack complexity, and the independent team suspects a possible government-sponsored action could have exploited the vulnerability to specifically target the Hong Kong protestors and, in some cases, posting immediate dangers to the life of the protestors. We are writing up the bug here and requesting Telegram to respond to this serious issue as soon as possible.
The vulnerability works like this:
- Telegram user “A” is in a public group named, for example, CommonsGroup
- The user does not want the phone number to be seen in Telegram. To do this, he changes the number’s visibility in Telegram’s privacy settings. (Privacy > Phone Number > Nobody)
- An attacker wants to uncover the real identity of CommonsGroup members.
- The attacker adds large quantities of phone numbers sequentially to the address book on the phone. User A's phone could be on the list.
- The attacker syncs her contacts with Telegram
- The attacker joins CommonsGroup (a public group)
One would expect A’s phone number not to be showing up on the group info because of the strict privacy settings, however, the attacker can see A’s phone number in the group info. The attacker could, in theory, see any phone number of any public group member.
As we've previously reported, Telegram plays a pivotal role in Hong Kong’s protests, as people have been using it to coordinate many actions and demonstrations in a private way. This is possible only thanks to Telegram’s level of anonymity. But, a bug such as this one can seriously and permanently undermine the principles that allowed people to communicate freely to defend their rights.
Due to its popularity with Hong Kong protestors, the Telegram founder has suggested that it's been the target of state-sponsored DDoS attacks.
Update: August 25/Quote from Telegram spokesperson, who doesn't consider this a vulnerability:
“This is not a bug or “vulnerability”: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts. This means that you must be able to see your contacts who are also using the app.
The phone number settings control phone number visibility for users who don't have your number (as opposed to WhatsApp showing your phone number to everyone else in any group).
The protesters claimed that if you added enough numbers to your contacts, you would see everybody – in fact this would not work because we have safeguards in place to prevent importing too many contacts – exactly to prevent the scenario outlined in the document. In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds – and only managed to successfully import 85 contacts (not 10,000).
Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they’re not using Telegram – even if they are.”