A new vulnerability affecting Telegram messaging app has been found, which allows an attacker to identify people in a group, even if the phone number is hidden.
The bug was first reported on a discussion forum of Hong Kong protestors and eventually was picked and verified by security researchers from Hong Kong.
Need help from @telegram. We and multiple teams have independently confirmed a serious vulnerability that causes phone numbers to be leaked to members in public groups, regardless of the privacy setting. Telegram is heavily used in #hkprotest, it put HKers in immediate threats
— Chu Ka-cheong (@edwincheese) August 23, 2019
How does the bug work?
According to the analysis done by the researchers, including Chu Ka-Cheong, the bug works in the following way.
- A person X joins a group on Telegram while simultaneously hiding the phone number.
- The attacker Y, who wants to uncover the real identity of X, adds a large number of phone numbers in the phone book. Adding a massive amount of phone numbers in the phone book increases the possibility that X’s phone number will also be added.
- Y, who is the attacker then syncs the contacts in Telegram.
- After syncing the contacts, the attacker Y, then joins the Telegram group where he can clearly see the phone number of X.
As per the document, the attacker, by following the above procedure, can document the phone numbers of any number of members.
The process is simple, and it will not work where the space for phone numbers is large, as it decreases the probability of finding the target’s phone number. But in areas like Hong Kong, where the phone number space is less, this technique can be used to reveal the identity of the group members.
The researchers fear that the government has already begun exploiting the bugs and the protestors of Hong Kong are in danger.
Currently, the bug has been verified on iOS 12.4 and Android 9. Telegram is yet to release an official statement.
In the News: YouTube spoils Chinese propaganda party further; disables 210 channels
Kumar Hemant
Former Senior Editor at Candid.Technology. Hemant has a keen interest in social issues and international relations.
Ten articles before and after
Top 7 Telegram channels and groups for cryptocurrency
Top 11 Telegram bots that every user must check out
How to delete your Telegram account? In 6 easy steps
How to join a Telegram Group or Channel? | Telegram Tips
How to create a Telegram group? Public vs Private groups
8 new features coming to Telegram including Silent Messaging, Slow Mode
Telegram X vs Telegram: What's different? Should you use Telegram X?
Top 7 Telegram channels for UPSC preparation that aspirants must follow
Australian law gives power to cops to spy on citizens WhatsApp, Telegram
10 cool Telegram Messenger app tricks and tips you must know