Telegram has long been popular with those protesting against authoritarian regimes so it is no surprise that protestors in Hong Kong have relied heavily on the service to coordinate their ongoing actions.
But, as we have reported previously, this has made the platform a target for Communist China’s army of state-sponsored hackers. And it seems they might have been enjoying some success.
A vulnerability in Telegram
A newly identified flaw in the group messaging feature of Telegram could risk identifying protestors in Hong Kong as well as other users around the world.
The flaw is thought to have been known about for some time but has been flagged by Chu Ka-Cheong, Director of the Internet Society Hong Kong Chapter, on his Twitter page.
Chu tweeted to Telegram asking for help after he noted that the phone numbers of other members could easily be uncovered by other members of Telegram’s private groups.
Most Hong Kong protestors and others who use Telegram for sensitive or potentially dangerous activities will choose to keep their mobile phone numbers private.
But Chu has figured out that if authorities add thousands of different phone numbers to a device and then sync it with Telegram, they can match stored numbers against the undisclosed numbers in the group. It would then be easy for them to identify the owner of the phone through either their mobile phone operator or other records.
Indeed, Chu believes that the Chinese Communist Party (CCP) may have already exploited the vulnerability. “We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters,” he warned. “In some cases posting immediate dangers to the life of the protestors.”
In fact, earlier this month, a Hong Kong protestor who was also one of the Telegram chat room organisers was arrested. In a statement confirming the fact, Hong Kong police said that they had identified him through his mobile phone.
The strong implication is now that it was through exploiting this vulnerability in Telegram that they were able to track him down.
What can Hong Kong protestors do?
At the time of writing, Telegram has not found a solution to the vulnerability. They have noted that they limit the number of contacts that can be synchronized and that “once you get banned from importing contacts, you can only add up to five new numbers per day.”
But this is hardly likely to be enough to deter the CCP with its near-limitless resources.
For now, the only real way for Hong Kong protestors to keep themselves safe while using Telegram’s group chat is to connect using anonymous burner phones, with pay-as-you-go sim cards that they only use once.
Interestingly, it is not the first time a vulnerability of this kind has been identified in Telegram. In 2016, Reuters reported that hackers sponsored by the Iranian state had managed to compromise more than a dozen Telegram accounts and through those identified more than 15 million Iranian users.
It should be noted that the flaw exposed by Chu Ka-Cheong is not a backdoor into Telegram and will not reveal any content of any discussions public or private. It does allow users to potentially be identified, which is far from ideal, but it is something which Telegram should be able to patch, sooner or later.
Reasons to stick with Telegram
We would not advocate protestors in Hong Kong moving away from Telegram as a result of this bug. As we noted in our article on the Top 5 Secure Messaging Apps, Telegram is the best there is and that remains the case.
But we would advise caution when using public groups and we would urge Telegram to close this loophole at the earliest opportunity.
In a somewhat ironic twist, while the CCP may be exploiting this flaw in Telegram to try and identify those who are protesting against their totalitarian regime, more and more reports are emerging of people within China communicating their support for the protestors. And what platform are they using to do this? Telegram, of course.
While Telegram may have been banned inside China since 2015, it is still commonly used by many, with VPNs commonly used to allow access.
And if it is good enough for those living in the type of nightmare surveillance state that even George Orwell couldn’t have imagined, it is certainly good enough for you.