“This is no different from running Facebook Messenger or IRC over TLS. “The ‘mode’ of Telegram we looked at was when messages are encrypted between the client and the server only,” Albrecht explained. Royal Holloway professor Martin Albrecht told The Daily Swig that the researchers offered lessons for other developers of secure messaging apps – for example, industry standard TLS encryption should be a preferred design choice. Telegram has since patched all four flaws, clearing the way for researchers to go public with their findings through a detailed technical blog post. The researchers notified Telegram about their research in April. These particular findings helped further improve the theoretical security of the protocol: the latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant. That said, we welcome any research that helps make our protocol even more secure.
The traits of MTProto pointed out by the group of researchers from the University of London and ETH Zurich were not critical, as they didn't allow anyone to decipher Telegram messages. In a statement, the firm welcomed the research "The researchers did not discover a way to decipher messages," a representative of Telegram told The Daily Swig. The researchers admit the attack is impractical while Telegram goes further and categorises it as a non-threat. This assault could only succeed after sending billions of messages.Ī fourth security weakness made it possible (at least in theory) for an attacker to recover some plain text from encrypted messages – a timing-based side-channel attack that would require an attacker to send millions of messages and observe how long the responses take to be delivered. The third security issue involves a potential manipulator-in-the-middle attack targeting initial key negotiation between the client and the server. The most significant vulnerability among the quartet makes it possible for an attacker to manipulate the sequencing of messages coming from a client to one of the cloud servers operate by Telegram.Ī second flaw made it possible for an attacker on the network to detect which of two messages are encrypted by a client or a server, an issue more of interest to cryptographers than hostile parties, the researchers suggest.
The researchers found that Telegram’s proprietary system falls short of the security guarantees enjoyed by other, widely deployed cryptographic protocols such as Transport Layer Security (TLS).ĮTH Zurich professor Kenny Paterson commented that encryption services “could be done better, more securely, and in a more trustworthy manner with a standard approach to cryptography”.Ĭatch up with the latest encryption-related news and analysis The audit excluded any attempt to attack any of Telegram’s live systems.
#Telegram messenger 10 xs ios code#
Standard deviationĬomputer scientists from from ETH Zurich and Royal Holloway, University of London, uncovered the vulnerabilities after examining the open source code used to provide encryption services to the Telegram app.
#Telegram messenger 10 xs ios software#
UPDATED An analysis of the popular Telegram secure messaging protocol has identified four cryptographic vulnerabilities.Īlthough none of the flaws are particularly serious or easy to exploit, security researchers have nonetheless warned that the software “falls short on some essential data security guarantees”. Vulnerabilities highlight risks of ‘knit-your-own’ crypto