4 security vulnerabilities in Telegram’s MTProto encryption protocol compromising the security of the platform’s Cloud Chats was recently disclosed.
Telegram has released an update that addresses a number of security flaws in the MTProto protocol. The MTProto encryption protocol used by Telegram was analysed by a group of researchers from Royal Holloway, University of London, who identified vulnerabilities in the app’s cloud chats method.
Telegram uses the MTProto protocol when users do not want End-to-End Encryption (E2EE). Telegram’s MTProto protocol is the company’s version on Transport Layer Security (TLS), a widely used cryptographic standard for ensuring data security in transit.
TLS security protects Telegram users from man-in-the-middle attacks to some level, but it has flaws, one of which is that it does not completely prevent servers from reading texts.
The protocol can also be exploited to re-order messages, which an attacker may use to manipulate Telegram bots. Another security flaw allows attackers to decrypt plain text from encrypted messages. This security flaw was discovered in the Android, iOS, and desktop versions of the Telegram app, and while it would take a lot of effort on the attacker’s part, it still allowed for extraction of plain text.
Telegram has now announced that it has released updates to the app that address the researchers’ findings. Telegram added in a new blog post “None of the changes were critical, as no ways of deciphering or tampering with messages were discovered,”
If you use Telegram on a desktop, Android, or iOS device, now is a good time to update to the newest version from the App Store or Play Store to avoid being a target for attackers due to these security flaws.