A vulnerability has been found in the popular cloud-based mobile and desktop messaging app, Telegram, which allows the compromise of the services “Secret Chats," which are supposed to provide end-to-end encryption.
By simulating an attack originating from a mobile app/client-side vulnerability that gains additional permissions by running a kernel or root exploit, Zimperium was able to uncover Secret Chats that were readable in plain-text in the process memory, as well as in a Cache4.db file.
Additionally, once a chat was deleted, the user may think that it cannot be retrieved by anyone who is trying to read the Secret Chat’s content; however, an attacker can still obtain the content of the messages.
“Telegram claims to be a privacy oriented messaging app capable of encrypting personal and business secrets – only they are not,” explained Zuk Avraham, founder, chairman and CTO of Zimperium, in a blog. “A critical vulnerability discovered by Zimperium Mobile Security Labs exposes their more than 50 million users who believe the app provides the security to chat freely.”
Avraham, who pointed out that the company ironically has held “crypto contests” in the past, started by creating secret messages within the Android version of the Telegram app. From there, he ran the kernel exploit and dumped the process memory of Telegram—finding strings that contain message content.
“While Telegram was founded upon a noble goal of providing privacy to consumers everywhere at no cost, they have fallen short of their objective by focusing purely on data-in-transit versus protecting data-at-rest on the mobile device itself,” he explained. “Telegram’s so-called powerful encryption is not protecting users any better than any other page or app that uses SSL. If you are using Telegram because you want to ensure your privacy and the privacy of the messages you are sending, be aware that it will not stop sophisticated hackers from reading your messages.”
He said that he notified the company several times of the flaw, and after 30 days of receiving no response, has gone public with the proof of concept for the hack.