Telegram has announced that the company fixed vulnerabilities after being pointed by a group of researchers from the University of London and ETH Zurich. The researchers claim that their analysis found “cryptographic weaknesses" in the encryption protocol that essentially poses a risk to data in transit. The central result of the investigation was that MTProto could provide a confidential and integrity-protected channel if special care is taken when implementing the protocol. Telegram uses MTProto protocol to secure its cloud chats. The platform also offers the popular end-to-end encryption (E2EE), but that has to be enabled manually in the form of “secret chats."
In a blog post, Telegram notes researchers highlighted several traits of MTProto that were changed as the result of their discussions, even before the paper was published. The company says it welcomes any research that helps make the MTProto protocol and Telegram apps more secure. The latest versions of Telegram apps already contain changes that address mainly four vulnerabilities. The first flaw could let bad actors to reorder messages as they were being sent. It could only affect outgoing messages, and only before they were delivered. The second flaw is “theoretical interest" but it could pose risk to the re-sending of unacknowledged messages. Telegram says the latest version used improved behaviour that simplifies such analysis.
The research note that the third flaw was found after analysing Telegram clients - Android, iOS, and Android. “[We] found that three of them (Android, iOS, Desktop) contained code which – in principle – permitted to recover some plaintext from encrypted messages." The last flaw allowed an attacker to intercept the message and mount an “attacker-in-the-middle" attack on the initial key negotiation between the client and the server. Telegram says this may sound scary but was not possible in practice. Overall, all the vulnerabilities are addressed, and Telegram users are advised to keep the app updated.