A new vulnerability affecting Telegram messaging app has been found, which allows an attacker to identify people in a group, even if the phone number is hidden.
The bug was first reported on a discussion forum of Hong Kong protestors and eventually was picked and verified by security researchers from Hong Kong.
Need help from @telegram. We and multiple teams have independently confirmed a serious vulnerability that causes phone numbers to be leaked to members in public groups, regardless of the privacy setting. Telegram is heavily used in #hkprotest, it put HKers in immediate threats
— Chu Ka-cheong (@edwincheese) August 23, 2019
How does the bug work?
According to the analysis done by the researchers, including Chu Ka-Cheong, the bug works in the following way.
- A person X joins a group on Telegram while simultaneously hiding the phone number.
- The attacker Y, who wants to uncover the real identity of X, adds a large number of phone numbers in the phone book. Adding a massive amount of phone numbers in the phone book increases the possibility that X’s phone number will also be added.
- Y, who is the attacker then syncs the contacts in Telegram.
- After syncing the contacts, the attacker Y, then joins the Telegram group where he can clearly see the phone number of X.
As per the document, the attacker, by following the above procedure, can document the phone numbers of any number of members.
The process is simple, and it will not work where the space for phone numbers is large, as it decreases the probability of finding the target’s phone number. But in areas like Hong Kong, where the phone number space is less, this technique can be used to reveal the identity of the group members.
The researchers fear that the government has already begun exploiting the bugs and the protestors of Hong Kong are in danger.
Currently, the bug has been verified on iOS 12.4 and Android 9. Telegram is yet to release an official statement.