Telegram: Is It Private Enough?

3rd August 2016 by in category IT Support Blog tagged as , , , , , , with 0 and 8

Data leaks spotted on Telegram, though quick response saved users from security leaks

Telegram icons by Wowomnom

Does Telegram stick to its promises? The instant messaging client’s unique selling point has been quizzed by numerous IT experts and news sites. Image by Wowomnom (via Shutterstock).

Some time ago, your friends may have told you about this off-limits nuclear bunker in the middle of nowhere. Then you find the bunker’s not-so-secret any more due to the brown tourist signs off the arterial road. You dread the day when I Speak Your Cash ATMs arrive, especially when they say “Mr. Duncan wants to draw out £200.” This week, we have learned of an app which has unwittingly set that precedent. A devastating data leak affected Telegram over the last month.

On Sophos’ Naked Security site, data leaks saw Telegram copy user data into log files. Before you start to panic and think “EEEK, this may have affected my brand spanking new Windows 10 laptop”, fret not. This data link affected MacOS users. If you have a Mac, you access the log files via Terminal. As seen in Kirill Firsov’s tweet, the cutting and pasting of private messages are recorded on the MacOS version.

Apple Macs normally keep system logs of your activities over a seven-day period. Through Terminal it is possible to delete system logs, to free hard drive space. The pasting of private messages onto the log files could be embarrassing for its users. Especially if s/he sells or passes on their Mac to another user. At worst, if your Mac fell into the wrong hands, the information could be used against you (i.e. identity theft).

Within hours of Firsov’s tweet, the vulnerability was fixed. The recent data leak was an embarrassment for Telegram’s developers, which have touted the app’s security values. Shortly afterwards, their website made an announcement on the 02 August over an Iranian hack attack. Reuters said:

“Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system…”

The article also states that:

“Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.”

Compare that with the official line from Telegram’s website:

“Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”

From the developers’ view, it seems that the respected news agency blew the story out of proportion. Or has it not? Gizmodo, on the 24 June 2016 states the app’s security issues. Its main concern is the lack of encryption for each message, which the FBI favours. It is stated that Telegram’s secure mode is an opt-in measure. Like switching from standard browser modes to incognito modes.

Should I stick with WhatsApp or other instant messaging clients instead?

We at Tabard IT should let you decide. Neither WhatsApp nor Facebook Messenger are perfect and have had a few data breaches in their time. Where Telegram varies is the fact accounts are tied to telephone numbers and verified by SMS text messaging or telephone calls. This leaves the app’s user vulnerable to government influence, a possibility if Westminster’s Investigatory Powers Bill gains Royal Assent.

As for private communication methods which cannot be traced by hackers or government interference, nothing can beat handwritten manuscripts. So long as you keep the minutes of any discussion in a safe place.

Tabard IT, 03 August 2016.

Add comment

Website Design & SEO by netsixtysix.co.uk | Sitemap