Archive for Telegram

Telegram Ordered By Russians To Hand Over Encryption Keys….Not That It Can

Posted in Commentary with tags on March 21, 2018 by itnerd

Secure messaging service Telegram has lost a bid before Russia’s Supreme Court to block security services from getting access to users’ data. Those security services, namely the FSB which is Russia’s spy agency wanted access to Telegram’s encryption keys so that they can snoop on all communications. Here’s the problem with that…. At least beyond the fact that Russia wants to spy on Telegram users…. Telegram doesn’t hold users encryption keys. Thus it’s impossible to comply with orders to hand them over. Too bad the company has 15 days to comply or bad things will happen. Though their lawyer plans to appeal. We’ll see how that plays out.



WhatsApp & Telegram Flaw Allows Hijacking Of Accounts…. But Don’t Worry…It’s Fixed

Posted in Commentary with tags , on March 16, 2017 by itnerd

A flaw in in the web version of Telegram and WhatsApp has been discovered that via a specially crafted image, allows a hacker to hijack the account. The flaw was discovered by CheckPoint and here’s what you need to know:

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.

The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

For those of you who are more visual, here’s a video of the pwnage in action:


The good news is that this is already fixed by both parties. And better yet, the phone app appears not to be affected. Still, I’d advise that users of either web app avoid opening suspicious files and links from unknown users and flush your browser cache every once in a while.