Encrypted Messaging App Telegram Leaks Usage Data
All it takes is a third party app and a target’s phone number to track a user.
Even if an app allows encrypted communication, there are often still ways to find out about the people using it. Bearing that in mind, a researcher has found that just about anyone can snoop on the activity of Telegram users, and potentially figure out who they are talking to, by using a third party piece of software.
Telegram is a popular encrypted messaging service available on iOS, Android, and it also has desktop versions. In September, the company's founder Pavel Durov claimed that the platform is used to send 12 billion messages everyday.
Ola Flisbäck, a consultant at Sony Mobile Communications, posted the findings to Github on Saturday. To uncover the flaws, Flisbäck used a third party, command line interface (CLI) client for Telegram. The CLI client can be installed on Linux or Mac OSX.
With this, Flisbäck monitored the activity of an Android device running Telegram. He found that the "android app sends a notification to all contacts when it becomes or stops being the "foreground" app on the device." In other words, whenever someone stops using Telegram—be that for typing or reading messages—that fact is sent to all of the user's contacts.
It's important to emphasise that this snooping is nothing to do with the actual content of a message. Telegram has a "Secret Chat" feature, where users can activate end-to-end encryption of their chats, meaning that their contents can't be read by anyone intercepting the messages.
Nevertheless, metadata can still reveal a substantial amount of information about a user. Indeed, the operational security expert known as The Grugq tweeted that this method could be used to "accurately guess who is talking to whom."
Flisbäck wrote that "An 'attacker' will sometimes see the victim and another contact taking turns going active/inactive as they pass messages back and forth."
The other problem here is that a victim's Telegram usage can be monitored without them even knowing about it. "What makes it worse is that Telegram does not require contacts to mutually agree that they should be connected!" Flisbäck writes. This means that an attacker could add a target to their contact list, and start recording the points at which the target is on and offline, without the victim being aware: All it takes is knowing the target's phone number.
"That's quite problematic for an app focusing on protecting your conversations from snooping third parties," Flisbäck writes.
"Unlike with other mass market messengers, it is even possible to narrow this down to specific contacts with granular 'never share with' and 'always share with' Settings. (See Settings – Privacy & Security – Last Seen)."