Last week, Hong Kong officials claimed to have exposed a serious security breach on Telegram . According to them, the app supposedly allows users to prevent strangers from seeing their phone number to protect their privacy, but in practice it is very easy to work around the limit and find out the phone numbers of all active users in a protest group, for example.
The claim is based on an option in Telegram’s privacy settings, which determines the visibility of the user’s phone number. You can choose a name for the number to be displayed to everyone, to the user’s contacts only, or to anyone.
“We knew that setting the phone number privacy to Contacts allows your contacts to see your number, so activists always instructed people to set (phone number privacy) to no one, expecting it to hide the phone number in public groups,” she said Chu Ka-chung, director of the Hong Kong branch of an American organization that works for free, to the ZDNet website . “To date, we have not been aware that the setting ‘no one’ still allows users who have saved your phone number in their address book to match phone numbers with members of public groups. This surprised us all.”
The “loophole” has always been
However, the app explicitly states, just below the same definition, that “users whose number is stored in their contacts will see it on telegram.” In other words, the setting only applies to users in an app whose user’s phone number is not stored, and the “Contacts” setting reveals the number to people who are with the user but is not stored with them.
Hong Kong protesters demonstrated how it could be used by the government to harass protesters by creating a bot that stored thousands of phone numbers and displaying screenshots that also show a protest group that chose to hide their phone number from their books presented to the same bot.
In response, Telegram told ZDNet that “we have the means to prevent too many contacts from importing – just to prevent this scenario. In fact, our information shows that the bot shown in the screenshots (a partner in the Hong Kong forum) was blocked from importing more contacts. After just 2 seconds – and managed to import only 85 contacts, not 10,000. After you get blocked from importing contacts, you can only add 5 numbers a day. The rest of your contacts will look like they don’t use telegram – even if they do. “
Not just on telegram
Telegram is not the only app for this “hacking”: WhatsApp displays all users ‘phone numbers to any other user regardless of any privacy setting, and even Signal, which is considered more secure and private than the previous two, reveals participants’ phone numbers In groups.
While there are some apps that don’t even have users’ phone numbers, like Wire, Wickr, RiotChat and Matrix.org, Hong Kong protesters lack Telegram’s support for huge groups of thousands. Therefore, they do not offer people to stop using a telegram, but to connect from phones with pre-paid SIM cards that are not linked to user information. Thus, the government will find it very difficult to identify users even if you can see their phone numbers.