Home > Security > Security News

Researchers Found Several Cryptographic Flaws in the Telegram App

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist
efs cryptography

A team of researchers from the University of London and ETH Zurich published a paper describing their methods to four attacks against Telegram, relying on weaknesses in the cryptographic system (MTProto 2.0) of the popular instant messaging app. Since Telegram counts over 500 million monthly users who trust it for secure communications, any findings that threaten to break the encryption protocol are crucially important and have potentially wide and deep repercussions.

The four flaws discovered by the boffins are the following:

  1. An attacker can reorder the messages that fly from a client to the server of the platform. The attack is trivial to perform and could cause serious trouble to the user by altering the contents of their messages.
  2. An attacker can detect which messages were encrypted on the client-side and which were encrypted on the server-side. This is an attack that mostly has a theoretical interest rather than a practical significance.
  3. There’s a way to recover some plaintext from encrypted messages from all Telegram clients (Android, iOS, desktop), essentially devastating the confidentiality of the messages exchanged in the platform.
  4. A malicious individual can launch a “man-in-the-middle” attack by leveraging the initial key negotiation between the Telegram client app and the platform’s server. The end result would be to impersonate the server to the client, receiving all messages in a readable form.

Telegram has addressed all of the above as the researchers informed the project’s developers prior to the publication of their paper but have chosen not to issue security advisories at the time of patching. Attack scenarios 1, 2, and 4 have been addressed in version 7.8.1 for Android, 7.8.3 for iOS, and 2.8.8 for Telegram Desktop client apps, while attack number 3 was fixed last month.

Besides the fact that the problems have been fixed now, so you don’t need to worry about anything if you’re using the latest version of the app, we should note that the study proved the strength of MTProto on several occasions. What we would suggest is to use third-party (forks) Telegram clients where the implementation of the encryption protocol may not have been done appropriately. If you trust Telegram for your communications, the official app would be your best bet.

More on Security

Add a Comment
Related
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
facebook
Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild
Man holding an envelope targeted by a fishing hook, depicting phishing attack
Blind Eagle Launches New Cyber Campaigns Against Colombia’s Govt and Financial Institutions
New Cybersecurity Threat Targets Japanese Organizations Via Actively Exploited RCE Flaw
Novel ‘EvilLoader’ Telegram  Vulnerability Cloaking APKs as Video Files Threatens Android Users
CISA Adds Cisco, Hitachi, Microsoft Exploited Vulnerabilities to Catalog, Urges Remediation
Most Popular
Severance
Severance Season 2 Episode 9 Explained: Mark’s Ancestry, Irving’s Train stop, Dylan’s Resignation, and more
Adolescence
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
facebook
Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Severance Season 2 Episode 9 Explained: Mark’s Ancestry, Irving’s Train stop, Dylan’s Resignation, and more
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices

Most Popular
Severance
Severance Season 2 Episode 9 Explained: Mark’s Ancestry, Irving’s Train stop, Dylan’s Resignation, and more
Adolescence
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
facebook
Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Severance Season 2 Episode 9 Explained: Mark’s Ancestry, Irving’s Train stop, Dylan’s Resignation, and more
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: