social network

A new bug in Telegram’e

I wanted to know more about Telegram.
By mechanically hammering Telegram’s hashtag on Twitter , I came across a blog from one IB company …

How NOT to develop your application.

A few days ago Pavel Durov announced a campaign to fix bugs, for the decryption protocol Telegram. Next it will be shown how personal data from a secret chat can be captured without any decryption methods due to “design failure”.

Testing tools

 

Android 4.3 in Virtual Box
Wireshark running on the local machine.
HTC One with Android 4.0.3
Telegram 1.3.800 (in virtual box)

 

Methodology

First, let’s install Telegram, and users, for example, call Alice and Bob. After that, create accounts in Telegram and add each other as friends:

Now create a secret chat:

Send a test message:

As we can see in Wireshark, all the data passes through SSL and looks encrypted.

But…

What if we try to send an attachment? For example, geolocation?

Aha! An unencrypted TCP session is open. Let’s take a closer look:

By default, to download a fragment of the map, Telegram uses the Google-Maps API in an unencrypted form.
From the point of view of security and anonymity, this is a complete failure …

A person who controls the channel can intercept all geolocation investments, bypassing a secret chat from two sides.

In practice, if Snowden sends someone who is under the supervision of the NSA , his geographical position through the Telegram … tomahawk will be enough to satisfy General Alexander .

Bug fix.

The Security Council responded relatively quickly to this incident and asked them to unsubscribe to the post for a fee.

If I’m not mistaken, the fix looks like this .

Curiously, how many will pay authors for the found bug.

A source.

Tags
Back to top button
Close
Close