Connect with us

Hi, what are you looking for?



Telegram Messaging App Security Holes Allow Attackers to Decipher Secret Chats: Research

The Telegram messaging app has security holes that allows attackers to get a peak at users’ messages by bypassing encryption, according mobile security firm Zimperium.

The Telegram messaging app has security holes that allows attackers to get a peak at users’ messages by bypassing encryption, according mobile security firm Zimperium.

On its site, Telegram touts the fact that the app is cloud-based and heavily encrypted, and notes that a recently held contest to crack its encryption ended with no winners despite a $300,000 bounty. In the contest, the would-be hackers were able to act as the Telegram server passing info between the users as they attempted to decipher messages sent using the Secret Chats feature.

“All messages in secret chats use end-to-end encryption,” according to the site. “This means only you and the recipient can read those messages — nobody else can decipher them, including us here at Telegram. Messages cannot be forwarded from secret chats. And when you delete messages on your side of the conversation, the app on the other side of the secret chat will be ordered to delete them as well.”‘

However, Zimperium found that by simulating an attack originating from an app/client-side vulnerability that gains additional permissions by running a kernel or root exploit it was possible to uncover Secret Chats that were readable in plain text in the process memory and the Cache4.db file. In addition, it was possible to retrieve the content of a message even after it was deleted.

“How easy is it to elevate privileges on the device in the first place? Very easy,” said Zimperium CTO Zuk Avraham. “Most of the versions out there have existing kernel exploits that are publicly available. We are speaking about more than 90 percent of the market. Obviously sophisticated actors can find their own elevation of privileges vulnerabilities but in most cases you can get the same results while using a publicly available exploit.”

“Once you get code execution on the device (e.g: by installing an app, running a browser exploit or connecting the phone to a malicious charger), the elevation of privileges part is easy if the device has publicly available root/jailbreak – which is the case for most of the OS,” he added.

In a blog post, Avraham noted that the crypto contests by Telegram reference breaking Telegram’s protocol while being in the middle of an encryption conversation. This, he argued, is not a sound idea for two reasons however: in the real world hackers do not play by the rules; and this assumes hackers would try to break Telegram’s encryption in the middle instead of finding weaknesses in other protocols that provide more benefits.

Advertisement. Scroll to continue reading.

“It’s easier to find a vulnerability in a phone and hack it remotely via URL/PDF/Man-In-The-Middle and other attack techniques that I have discussed before,” he blogged. “Once you hack a mobile phone, you need to elevate your privileges in order to gain control of the device. This can be easily done using a Kernel exploit.”

“I simulated an attack originating from an App / Client Side vulnerability that gains permissions by running a kernel exploit (I used CVE-2014-3153)…There are cleaner ways to dump the results, but I just wanted to provide a proof of concept (POC),” he noted in the blog post.

After running the exploit, he dumped the process memory of Telegram and searched for strings that contained the words he sent and received and found them. 

“To complete my research,” he blogged, “I accessed the root shell I received previously from running CVE-2014-3153 to look at the App’s files at /data/data/org.telegram.messenger/ and I discovered a file called Cache4.db in the app’s “files” folder. I assumed “enc_chats”, “enc_tasks_v2”, enc probably stood for encrypted so I fetched this file and examined it. The file contained our secret messages in plain-text!”

Avraham told SecurityWeek Zimperium has reached out to Telegram multiple times during the past 30 days and received no response.

“As part of our official Zimperium Zero Day Disclosure Policy, our intention is to provide vendors with an opportunity to fix the vulnerability so others are not affected by it; however, since Telegram has never responded to us even with an acknowledgement of the issue and proposed date, we have an obligation to make people who are consumers of this app aware of the risks so they can protect themselves,” Avraham told SecurityWeek.

He suggested people using Telegram to send secure texts be careful what they are sending or suspend usage of the app until Telegram resolves the issue.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.