Telegram is privacy nightmare (personal number leak and OTP hijack)

Telegram can leak your phone number to a stranger without your consent and/or hijack OTP code.

4 Likes

Telegram sucks

No backdoored Secret Chats on desktop and Web intentionally, full of bad takes too.

They now infested with cryptocurrencies like their own for usernames and USDT USDT Stablecoin Payments Launch on Telegram - Decrypt

2 Likes

“Not to mention Telegram is vulnerable to SIM-Swaps and SIM-Jacking because of the fact that it relies on a phone number and SMS for signup and signin.”

I am not at all defending Telegram but Signal has this same flaw sadly!

All I can say is there are real usecase for people using Telegram.

I agree Matrix based messengers came a very long way and provided “kind of” similar feature set as Telegram. BUT there are reasons why so many activists, protesters, rebels, certain ethnic communities etc, picked and keep using Telegram. Telegram was not, is not, and will not be the only tool they use for everything, though.

Not to say Matrix based messengers have no match with Telegram regarding to stability and bot ecosystem, which are both vital in many usecases.

More “private and secure” messengers like signal is not suitable for huge groups with high moderation needs.

SIM is definitely an issue, and the “feature” offered by Telegram mentioned in OP’s link is definitely a no-go zone. The same goes to Web3 and business side offerings from Telegram, which is known in partnership with Tencent. There are many malicious TG groups and channels containing malicious files and links, even malicious Telegram clients can he found quite easily.

When you use a software / service, you need to know the limitation and boundaries. Not even Signal can save you from poor opsec.

I don’t know your threat model, and I am really not defending Telegram, I wish we have a all-round better or on-par alternatives, but we don’t.

In short, Telegram can be useful, but use it wisely and carefully.

Edit: Both Telegram and signal can prevent sim swap account takeover with 2 step verification. If you use them, make sure you enabled and tested them.

4 Likes

But Signal has perfect forward secrecy and when someone else logs into your account, recipients get alerted of the verification number change (aka safety number) and the hacker cannot access your past messages.

1 Like

Signal does not have a 2FA cloud password like Telegram. In this way Signal is less secure than Telegram in terms of account-jacking

I have no idea wtf this is meant to mean, but Signal does literally have the ability to lock re-registering your phone number with a pin that you set, i.e., with a second factor. That’s the sim swap prevention with 2 step verification TinFoilHat mentioned

1 Like

Difference is with Signal you can’t see old messages but with Telegram you can. Had this happen when I signed up with a VOIP number, I got someone’s very personal chats.

That’s a feature not a bug. Though Telegram has an option to auto-delete all messages after 90days or more (configurable) if you haven’t logged in.

I understand but it’s worse for privacy than how signal handles it.

Telegram is susceptible to SS7 attacks the most as it doesn’t have an mitigations like Signal does with Signal PINs.

I think that there is a separation that needs to be made clear to the end user: Telegram is NOT a E2EE personal communication app (in addition to other concerns pointed out by others, it leaks your location too), but it is clearly a good enough tool for mass communication not may not necessarily be encrypted or private. I think I agree with @TinFoilHat that it is one of the only mass adopted medium for mass communication that is better than trying to organize a matrix room or a forum for (for example, Iranian and Russian political dissidents use it often, and Telegram tries to help them too). But the problem lies in the fact that telegram is neither transparent about what specific use cases/threat models it fits, and nor is it open to reforming its often moronic crusades against signal.

2 Likes

Absolutely! First of all, Telegram is cloud-based media platform. The main value is provided by censorship-resistant channels (with the ability to comment) and public thematic chats. Public channels can be read even without registration. In Russia, Telegram (together with YouTube) remains one of the main platforms for receiving uncensored information. All small independent media and sites are blocked, but YouTube and Telegram remain accessible. Telegram allows you to publish information that cannot be published on YouTube or Facebook.
It can also be used to store and share files up to 2GB.

4 Likes

You have to opt-in to this feature. Not turned on by default.

100%, my apologies if that was not clear from my writing. I still think it being easily exploitable is bad end-user experience for someone who thinks of telegram as secure & private.

How’s it different from Telegram’s 2FA password?

1 Like

It is the same, I wasn’t aware of it, thanks.

When you try to log in from a new device, Telegram sends a request to previously logged in devices. SMS is sent only if there are no logged in devices.

On the Cryptographic Fragility of
the Telegram Ecosystem

1 Like