Telegram is privacy nightmare (personal number leak and OTP hijack)

Telegram can leak your phone number to a stranger without your consent and/or hijack OTP code.

3 Likes

Telegram sucks

No backdoored Secret Chats on desktop and Web intentionally, full of bad takes too.

They now infested with cryptocurrencies like their own for usernames and USDT USDT Stablecoin Payments Launch on Telegram - Decrypt

2 Likes

“Not to mention Telegram is vulnerable to SIM-Swaps and SIM-Jacking because of the fact that it relies on a phone number and SMS for signup and signin.”

I am not at all defending Telegram but Signal has this same flaw sadly!

All I can say is there are real usecase for people using Telegram.

I agree Matrix based messengers came a very long way and provided “kind of” similar feature set as Telegram. BUT there are reasons why so many activists, protesters, rebels, certain ethnic communities etc, picked and keep using Telegram. Telegram was not, is not, and will not be the only tool they use for everything, though.

Not to say Matrix based messengers have no match with Telegram regarding to stability and bot ecosystem, which are both vital in many usecases.

More “private and secure” messengers like signal is not suitable for huge groups with high moderation needs.

SIM is definitely an issue, and the “feature” offered by Telegram mentioned in OP’s link is definitely a no-go zone. The same goes to Web3 and business side offerings from Telegram, which is known in partnership with Tencent. There are many malicious TG groups and channels containing malicious files and links, even malicious Telegram clients can he found quite easily.

When you use a software / service, you need to know the limitation and boundaries. Not even Signal can save you from poor opsec.

I don’t know your threat model, and I am really not defending Telegram, I wish we have a all-round better or on-par alternatives, but we don’t.

In short, Telegram can be useful, but use it wisely and carefully.

Edit: Both Telegram and signal can prevent sim swap account takeover with 2 step verification. If you use them, make sure you enabled and tested them.

4 Likes

But Signal has perfect forward secrecy and when someone else logs into your account, recipients get alerted of the verification number change (aka safety number) and the hacker cannot access your past messages.

1 Like

Signal does not have a 2FA cloud password like Telegram. In this way Signal is less secure than Telegram in terms of account-jacking

I have no idea wtf this is meant to mean, but Signal does literally have the ability to lock re-registering your phone number with a pin that you set, i.e., with a second factor. That’s the sim swap prevention with 2 step verification TinFoilHat mentioned

1 Like

Difference is with Signal you can’t see old messages but with Telegram you can. Had this happen when I signed up with a VOIP number, I got someone’s very personal chats.

That’s a feature not a bug. Though Telegram has an option to auto-delete all messages after 90days or more (configurable) if you haven’t logged in.

I understand but it’s worse for privacy than how signal handles it.