Researchers discover security flaws in Telegram encryption protocol
Flaws have already been patched in the latest release of Telegram’s official apps
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Researchers from the University of London’s Royal Holloway have discovered several flaws in the MTProto protocol used by the popular encrypted messaging appTelegram.
While end-to-end encryption (E2EE) is available in one-on-one chats, theMTProto protocolis used in the service’s group chats (also known as cloud chats) as well as when users don’t opt-in for E2EE. MTProto is Telegram’s version of transport level security (TLS) which is used to secure data in transit and to protect users from man-in-the middle attacks.
One of the security flaws discovered by Royal Holloway’s researchers allowed an attacker on the network to reorder messages coming from a client to Telegram’s servers. Although this flaw isn’t particularly dangerous, the researchers did note that it was trivial to carry out.
The researchers also took a deeper look into Telegram’s clients for Android, iOS and desktop where they discovered code that could be potentially be used to target user messages, although the content within would remain protected.
Still secure
Royal Holloway’s researchers discovered a total of four vulnerabilities in Telegram’s MTProto protocol and its clients and disclosed them to the company’s development team back in April.
In the time since, Telegram has updated itsencrypted messaging appand none of the flaws now pose a risk to the company’s users.
In a newblog post, Telegram provided further details on the researchers' work and the changes it has made to patch the flaws, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant. Overall, none of the changes were critical, as no ways of deciphering or tampering with messages were discovered.”
ViaGadgets360
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success
