from Hacker News

A Telegram bug that disclose phone numbers of any users in public groups

by 07d046 on 8/23/19, 11:18 AM with 62 comments

  • by 22c on 8/23/19, 1:33 PM

    Whilst not the same as mentioned in TFA, I noticed in Signal that if you allow it access to your contacts it will tell you how many of your contacts are already on Signal. I understand this is useful from a usability/discoverability aspect, but from a privacy perspective I have no reason to be made aware of the fact that one of my old bosses who's number is in my phone is on Signal and neither should they know that I am on Signal for the same reasons (or lack thereof).

    What's worse is there seems to be no way to opt-out of this behavior. I can deny Signal access to my contacts, thereby not knowing which of my contacts are on Signal, but that doesn't stop the other party from knowing if I am on Signal if they have given Signal access to their contacts.

    It's not farfetched to consider a world where an oppressive regime may outlaw the use of something like Signal, Telegram or even WhatsApp and they'd be able to easily determine if you're using such a service through passive techniques such as these.

    As far as I know, Wickr is a bit more privacy focused, but it doesn't tick the open source box for me (although the supposed source code is published[1] for public review).

    [1] https://github.com/WickrInc/wickr-crypto-c

  • by RichardHeart on 8/23/19, 6:00 PM

    1 point by RichardHeart 44 minutes ago | parent | edit | delete [-] | on: Telegram 0-day vulnerability that can be used to d...

    "TELEGRAM'S REPLY ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters. "We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.

    "In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."

    However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover."

  • by yaro2015 on 8/23/19, 12:45 PM

  • by chipotle_coyote on 8/23/19, 4:53 PM

    You know what would be a great way to mitigate this kind of attack vector? Stop insisting on tying identity to phone numbers.

  • by samat on 8/23/19, 7:55 PM

    Telegram says they block massive contacts imports, says that particular bot was able to add only 85 contacts and then throttled to 5 new contacts per day.

    My questions is how do they distinguish legitimate imports? I have 2K phone numbers in my address book. Would it take a year for me to be able to message my friends on telegram?

  • by mahemm on 8/23/19, 4:13 PM

    The widespread usage of Telegram in a situation as sensitive as the Hong Kong protests is a failure on behalf of the security industry in educating the public.

    Even WhatsApp is miles better, but in reality it should be a no-brainer for the relevant people to use Signal or perhaps Threema/Wire. What a shame that charlatans have successfully marketed themselves to the top of this segment with a distinctly inferior product.

  • by hmnom on 8/23/19, 12:49 PM

    It could be argued you already had the phone number of your victim.

    If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.

  • by johnnycab on 8/23/19, 2:19 PM

    This appears to be a similar attack vector, to the one which might have been used for scamming Swiss Revolut customers, by determining legitimate users via the phone number range, in order to deliver fraudulent SMS messages.

    https://www.reddit.com/r/Revolut/comments/cu07cv/revolut_sca...

  • by anthony_barker on 8/23/19, 1:09 PM

    f*ck no wonder I get so many robo calls