Skip to content

0-day bug found on Telegram can be used against protesters in Hong Kong

A new vulnerability affecting Telegram messaging app has been found, which allows an attacker to identify people in a group, even if the phone number is hidden.

The bug was first reported on a discussion forum of Hong Kong protestors and eventually was picked and verified by security researchers from Hong Kong.

How does the bug work?

According to the analysis done by the researchers, including Chu Ka-Cheong, the bug works in the following way.

  • A person X joins a group on Telegram while simultaneously hiding the phone number.
  • The attacker Y, who wants to uncover the real identity of X, adds a large number of phone numbers in the phone book. Adding a massive amount of phone numbers in the phone book increases the possibility that X’s phone number will also be added.
  • Y, who is the attacker then syncs the contacts in Telegram.
  • After syncing the contacts, the attacker Y, then joins the Telegram group where he can clearly see the phone number of X.

As per the document, the attacker, by following the above procedure, can document the phone numbers of any number of members.

The process is simple, and it will not work where the space for phone numbers is large, as it decreases the probability of finding the target’s phone number. But in areas like Hong Kong, where the phone number space is less, this technique can be used to reveal the identity of the group members.

The researchers fear that the government has already begun exploiting the bugs and the protestors of Hong Kong are in danger.

Currently, the bug has been verified on iOS 12.4 and Android 9. Telegram is yet to release an official statement.

In the News: YouTube spoils Chinese propaganda party further; disables 210 channels

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

We may earn a commission if you buy something from a link on this page. Thanks for your support.







>