Telegram’s Encryption Protocol Detected with Vulnerabilities
The vulnerabilities, based on the security study, range from technically trivial and easy to use to advanced and of theoretical interest. But in the end, it is demonstrated by ETH Professor Kenny Paterson, who was a member of the team that exposed the vulnerability, that the four important aspects could be done better, more secure, and more efficiently using a standard approach to cryptography.
Telegram's a cloud-based free, open-source instant messaging app on cross-platform. This program also provides encoded video calling, VoIP, file sharing, and various other functions from one end to the next. It was launched in August 2013 for iOS and in October 2013 for Android.
The greatest vulnerability found by researchers is what they call the vulnerability “crime pizza.” An attacker could modify the sequence of messages from a client to a telegram-operated cloud server in this easily.
“For example, if the order of the messages in the sequence ‘I say “yes” to', ‘pizza', ‘I say “no” to', “crime” was altered then it would appear that the client is declaring their willingness to commit a crime,” according to the universities.
An attacker may detect which of two communications is encrypted by the client, even if particular circumstances are required to do so using one of the more theoretical vulnerabilities.
Rather than using more common protocols like Transport Layer Security, Telegram uses its MTProto encryption protocol. In the past, too, cryptographers have skeptically eyed MTProto. The recent investigation recalls that while encrypted apps give considerable protection, they are not 100% impermissible to use.
The flaws in the telegram were reported by cryptographers from ETH Zürich, a public research university in Switzerland, and the Royal Holloway constituent college of the University of London.
“For most users, the immediate risk is low, but these vulnerabilities highlight that Telegram fell short of the cryptographic guarantees enjoyed by other widely deployed cryptographic protocols,” a university summary states.
Telegram wrote that it made changes in response to the disclosure “that make the four observations made by the researchers no longer relevant.”
Further, it has also revealed that there were no critical vulnerabilities.
“We welcome any research that helps make our protocol even more secure,” Telegram said. “These particular findings helped further improve the theoretical security of the protocol.”