Telegram can leak your phone number to a stranger without your consent and/or hijack OTP code.
6 Likes
Telegram sucks
No backdoored Secret Chats on desktop and Web intentionally, full of bad takes too.
They now infested with cryptocurrencies like their own for usernames and USDT https://decrypt.co/124243/telegram-announces-usdt-stablecoin-payments-on-tron-network
2 Likes
“Not to mention Telegram is vulnerable to SIM-Swaps and SIM-Jacking because of the fact that it relies on a phone number and SMS for signup and signin.”
I am not at all defending Telegram but Signal has this same flaw sadly!
All I can say is there are real usecase for people using Telegram.
I agree Matrix based messengers came a very long way and provided “kind of” similar feature set as Telegram. BUT there are reasons why so many activists, protesters, rebels, certain ethnic communities etc, picked and keep using Telegram. Telegram was not, is not, and will not be the only tool they use for everything, though.
Not to say Matrix based messengers have no match with Telegram regarding to stability and bot ecosystem, which are both vital in many usecases.
More “private and secure” messengers like signal is not suitable for huge groups with high moderation needs.
SIM is definitely an issue, and the “feature” offered by Telegram mentioned in OP’s link is definitely a no-go zone. The same goes to Web3 and business side offerings from Telegram, which is known in partnership with Tencent. There are many malicious TG groups and channels containing malicious files and links, even malicious Telegram clients can he found quite easily.
When you use a software / service, you need to know the limitation and boundaries. Not even Signal can save you from poor opsec.
I don’t know your threat model, and I am really not defending Telegram, I wish we have a all-round better or on-par alternatives, but we don’t.
In short, Telegram can be useful, but use it wisely and carefully.
Edit: Both Telegram and signal can prevent sim swap account takeover with 2 step verification. If you use them, make sure you enabled and tested them.
6 Likes
But Signal has perfect forward secrecy and when someone else logs into your account, recipients get alerted of the verification number change (aka safety number) and the hacker cannot access your past messages.
1 Like
Signal does not have a 2FA cloud password like Telegram. In this way Signal is less secure than Telegram in terms of account-jacking
I have no idea wtf this is meant to mean, but Signal does literally have the ability to lock re-registering your phone number with a pin that you set, i.e., with a second factor. That’s the sim swap prevention with 2 step verification TinFoilHat mentioned
1 Like
Difference is with Signal you can’t see old messages but with Telegram you can. Had this happen when I signed up with a VOIP number, I got someone’s very personal chats.
That’s a feature not a bug. Though Telegram has an option to auto-delete all messages after 90days or more (configurable) if you haven’t logged in.
I understand but it’s worse for privacy than how signal handles it.
Telegram is susceptible to SS7 attacks the most as it doesn’t have an mitigations like Signal does with Signal PINs.
I think that there is a separation that needs to be made clear to the end user: Telegram is NOT a E2EE personal communication app (in addition to other concerns pointed out by others, it leaks your location too), but it is clearly a good enough tool for mass communication not may not necessarily be encrypted or private. I think I agree with @TinFoilHat that it is one of the only mass adopted medium for mass communication that is better than trying to organize a matrix room or a forum for (for example, Iranian and Russian political dissidents use it often, and Telegram tries to help them too). But the problem lies in the fact that telegram is neither transparent about what specific use cases/threat models it fits, and nor is it open to reforming its often moronic crusades against signal.
2 Likes
Absolutely! First of all, Telegram is cloud-based media platform. The main value is provided by censorship-resistant channels (with the ability to comment) and public thematic chats. Public channels can be read even without registration. In Russia, Telegram (together with YouTube) remains one of the main platforms for receiving uncensored information. All small independent media and sites are blocked, but YouTube and Telegram remain accessible. Telegram allows you to publish information that cannot be published on YouTube or Facebook.
It can also be used to store and share files up to 2GB.
4 Likes
You have to opt-in to this feature. Not turned on by default.
100%, my apologies if that was not clear from my writing. I still think it being easily exploitable is bad end-user experience for someone who thinks of telegram as secure & private.
How’s it different from Telegram’s 2FA password?
1 Like
It is the same, I wasn’t aware of it, thanks.
When you try to log in from a new device, Telegram sends a request to previously logged in devices. SMS is sent only if there are no logged in devices.
On the Cryptographic Fragility of
the Telegram Ecosystem
1 Like
Super late to this party. I only became aware of it a couple of months ago through a friend who ran into this issue and asked for my help.
Telegram is charging for SMS verification in some regions, and that’s unacceptable. The fact that the way they do it is by using your phone number as a relay for SMS login codes makes it even worse.
The Telegram subreddit is filled with posts complaining about this SMS Fee.
So far the regions I’ve seen affected by this include the US, some European countries, some Asian countries, and the Middle East.
WORKAROUND:
The only working workaround I’ve seen reported is to install an older version of Telegram on Android, specifically v.11.7.3. However, I’ve read that for some people it’s no longer working. I don’t think there are any workarounds for iPhone since I don’t think you can download an older version of an app on a new device if a new one exists.
THINGS I DON’T GET:
- If Signal can afford SMS verification in “expensive” countries, why can’t Telegram?
The way I see it, Telegram is punishing people who live in poorer countries, which I am guessing is a huge chunk of their user base.
- Why is SMS verification required when you are logged to another device?
This issue doesn’t just affect people who are signing up to Telegram for the first time. It also affects all existing users who want to log in on a new device, specifically a new phone. Unlike Signal, Telegram allows you to use their app on multiple phones. Although logging in on other types of secondary or third device will not require SMS verification, doing it on a second phone will. Even though I have mixed feelings about this, one could argue this measure is sensible.
- Why is SMS verification required when you are logged on other devices and have 2FA enabled?
Telegram allows you to enable 2FA with a password and email address. When you enable it, you won’t be able to log into a new device without them. It doesn’t make sense to me to force users who have 2FA on to pay for verification via SMS when they have other means to verify themselves.
And those who don’t have 2FA on but are already logged into at least one device, should be able to enable it and avoid the SMS verification.
- Why does SMS verification require an email, and why are some email providers blocked?
From what I heard, some people, regardless of if they have 2FA enabled or not, are required to provide an email address to receive a code for SMS verification. However, for a lot of email domains, although the code is received, it is not accepted when it is entered. For others, it is. It makes zero sense. Even when the code is accepted, you are presented with the screen asking you to pay for SMS verification.
- Why is the only way to pay for SMS verification via P2P?
TELEGRAM DOESN’T CARE ABOUT PRIVACY:
This is terrible for privacy and terrible implementation on Telegram’s part. They are an awful company. There’s a part of me that hates them more than WhatsApp because at least WhatsApp users are more aware that their data is being exploited. Telegram and its founder, Pavel Durov, have a cult grip on their users. I don’t know what it will take to break the curse.
1 Like