Protesters in Hong Kong found that Telegram shows a phone number regardless of privacy settings. “Protected” Telegram messenger encrypted communication presumably helps to maintain the anonymity of users, and therefore widely used by protesters in Hong Kong. But in recent days, there has been a real panic among them: a message is spreading through the channels that the police have a way to determine the phone numbers of Telegram users.
Telegram company admitted a bug with the leak of confidential data
She also explained that this is not a bug, but the organization of its work.
Diagram of the exploit. Left to right:
1) the script generates a contact list with 10 000 phone numbers in order;
2) added to the group of protesters;
3) Telegram tells which users from the contact list are already in the group;
4) the script generates a new contact list and repeats the above steps until you go through all the numbers.
The scheme of alleged actions of the Hong Kong police is shown in the screenshot above.
The police generate a contact list with thousands of phone numbers in order. It is added to the group of protesters. Telegram tells you which users from the contact list are already in the group. This scheme can be easily automated to search a large number of phone numbers.
Activists say that in this way you can find phone numbers even if the user has specified in the telegram settings to show no one your phone number.
Binding to a phone number is one of the main disadvantages of the messenger, which tries to preserve the anonymity of users. The authorities have rich tools to de-anonymize users by their phone numbers, to track their movements, identify other phone numbers that are always nearby, and so on.
Basic information law enforcement agencies can immediately request from the telecommunications company
After the information about the telegram exploit appeared, the information was checked and confirmed by several information security specialists.
“Telegram phone number privacy has been discussed since the beginning of this year, ” says Chu Ka — cheong, Director of the Hong Kong Internet society and one of the software engineers who independently confirmed the error. — We knew that setting the privacy of the number to “My contacts” would allow people from the contact list to see your number, so activists always asked people to set the setting .
“Nobody” expecting it to hide a phone number in a public group. Until today, we didn’t know that setting “Nobody” would still allow users who have stored their phone number in the address book to map the phone number to public group members. It was a revelation to all of us.”
Setting “Nobody” will still allow users who have saved their phone number in the address book to map the phone number to public group members.
After the disclosure of this bug, users began to actively leave the groups of protesters in Telegram. Activists worry that this will make it difficult to coordinate future demonstrations and actions.
Chu said there is no workaround at the moment to avoid this data leak. Protesters are advised to switch to disposable SIM cards registered anonymously or in someone else’s name instead of their main phone numbers. But it is obvious that the bulk of users will not be able to do this.
Unfortunately, for many users of the messenger Telegram is too late
“We suspected that some government — sponsored attackers used this error and used it to calculate Hong Kong protesters, in some cases creating an immediate danger to the lives of protesters, “Chu says of the so-called” aunts”, that is, bandits who came to Hong Kong from mainland China and perform informal tasks of the security services, including dealing with activists.
Chu Ka-Chong says that Telegram is now the main channel of communication, and it is very difficult to abandon it: “Switching to another application such as Signal is not a viable option for us,” he said. “Because the way protesters communicate strongly depends on the support of very large groups [ … ] that Telegram has really good support for,” Chu said.
“On the other hand, Signal or Wire groups are limited to a few hundred people, and Signal shows everyone your phone number anyway. Some of us already use Signal and Wire in a small closed group, but public discussions and announcements will still rely heavily on Telegram.”
Edition ZDNet asked for comments to the Telegram, and the company has studied the problem: “we Have protective measures to prevent the import too many contacts — it was to prevent such a scenario,” — said the representative of the Telegram [actually confirming that the bug with leak of confidential data is a feature]. — Our data shows that the bot in the screenshots was locked to import contacts after two seconds — and it managed to successfully import 85 contacts (not 10,000). Once you get banned from importing contacts, you can add a maximum of five new numbers per day. The rest of the contacts you add will look like they don’t use Telegram, even if they do.”
However, experts say that this limitation can be circumvented
An attacker with rich resources, like a government intelligence Agency, can easily use multiple bots rather than one — and end up importing the entire sequence of phone numbers he wants to cover.
The essence of the problem is that the users themselves did not expect such a trick from the messenger. They expected the “Nobody” setting to forbid viewing their phone numbers, whether they were on the contact list or not.
But Telegram said that this particular setting doesn’t work like that, and it never worked like that: “there’s no mistake: just like WhatsApp or Facebook Messenger, Telegram messenger is based on phone contacts. This means you should be able to see your contacts who are also using the app, the company said in a statement. – Phone number settings control phone number visibility for users who don’t HAVE your number (unlike WhatsApp, which shows your phone number to everyone in any group).”
Thus, Telegram confirms that once your phone number is added to any contact list, this person (the attacker) will be able to associate it with the “anonymous” nickname of the user, regardless of the settings.
Telegram warns users that the “Nobody” setting doesn’t actually act the way they think it does. And it’s not a mistake, everything works as it should.
It turns out that the developers of Telegram (like most other messengers) deliberately sacrificed the anonymity of users for the sake of the growth of the social graph. Through address books, it is easier for users to establish contacts with their friends. This helps the” viral ” spread of the messenger and the growth of the audience.