Telegram Leaks PII, doesn’t care.

WTF01: What’s the Finding - Post 01.

Welcome to the first post in a new series called: What’s the finding or WTF for short, where I detail some random bugs I have found but are deemed non-issues by the companies I’ve reported them to. Do you agree with their assessment or can they do better?

On today’s agenda I am aiming both barrels at Telegram, which describes itself on its website as “a cloud-based mobile and desktop messaging app with a focus on security and speed.”

Let’s look at that interesting choice of words today, namely “security”. As you all probably know by now — I spend some of my free time hunting down bugs on various things. As I spent a little time looking at Telegram I noticed something very odd, curious even. It does in fact, leak pii. Let’s dive into how and possibly why this happens?

When a user [user 1] creates a contact card on their phone for another user [user 2], if user 2 has Telegram then user 1 will see them as a contact listed within the Telegram app, and be able to message them. Even if user 2 doesn’t have user 1 as a saved contact on their device. There is nowhere in the Telegram app itself to turn off this feature. If you have Telegram you will be shown as a user of Telegram. See below:

When a user signs up for Telegram they need to enter at least their first name, with their surname being an option. See below:

Here’s the bug I found, and why I think it’s an issue. If you have the phone number of a Telegram user and then save it — you can confirm that they are a member of Telegram as you’ll have the option to message them. However, if while in Telegram you delete their contact. The display name on their contact within the app will change from the name you chose when you saved the contact on your device, to the first and last name used when the user signed up for a Telegram account. See below:

So what’s the problem here? The problem is that as an attacker I can query any phone number to see if it has a Telegram account. From there add the contact, delete it and retrieve (if they filled in both fields), the user’s first and last name and all without them knowing. Not their username or other information but this, very personally identifiable information. But HaxAlot, why don’t you just report this to Telegram? Well, you fine ladies and gentlemen. I did. This was there response:

But as I confirmed to them, these are NOT groups or contacts in common. So, why is this happening? I think that on the back end the name field must be populated with something so when a user deletes a contact, Telegram just pulls the first name and surname from its database to populate that field. Risky? What say you audience? Is this expected behaviour from an app who pride themselves on security? Or is this another win for me? You decide.

Give a clap if you found this useful, and make sure to follow for more WTF. Coming next I’ve loaded 2 barrels and have aim locked onto Apple.