Easily hacked? Are you guessing or do you have proof?
Cryptography contests[edit]
Telegram has organized two cryptography contests to challenge its own security. Third parties were asked to break the service's cryptography and disclose the information contained within a secret chat between two computer-controlled users. A reward of respectively US$200,000 and US$300,000 was offered. Both of these contests expired with no winners.
[269][270] Security researcher
Moxie Marlinspike and commenters on
Hacker News criticized the first contest for being rigged or framed in Telegram's favor and said that Telegram's statements on the value of these contests as proof of the cryptography's quality are misleading. This was because the cryptography contest could not be won even with completely broken algorithms such as
MD2 (hash function) used as key stream extractor, and primitives such as the
Dual_EC_DRBG that is known to be backdoored.
[271][272][273]
2019 Puerto Rico "Telegramgate"[edit]
Main article:
Telegramgate
Telegram was the main subject surrounding the 2019 Puerto Rico riots that ended up in the resignation of then Governor
Ricardo Rosselló after a Telegram chat leaked with of hundreds of pages of a group chat on the messaging application Telegram between Rosselló and members of his staff from his term. The messages were considered vulgar, racist, and homophobic toward several individuals and groups, and discussed how they would use the media to target potential political opponents.
Data selling bot[edit]
The chairman of the public organization "Electronic Democracy" Volodymyr Flents on 11 May 2020 announced that a Telegram bot appeared on the Web, which sold personal data of citizens of Ukraine. It is estimated that the bot contains data from 26 million Ukrainians registered in the Dіia application. However, subsequently, Deputy Prime Minister and Minister of Digital Transformation Mikhail Fedorov denied fakes about the sale of data from "Dіia". The criminal activity of 25 people has already been confirmed and copies of 30 databases were seized.
[274][275][276]
Security breaches[edit]
In 2013, an author on Russian programming website
Habr discovered an unexplained modification to the Diffie-Hellman key exchange scheme as described in the first version of MTProto specification that would allow an attacker to mount a man-in-the-middle attack and prevent the victim from being alerted by changed key fingerprint. The bug was fixed by the company shortly after the initial publication without any explanation.
[206]
On 2 August 2016, a report by Reuters stated Iranian hackers compromised more than a dozen Telegram accounts and identified the phone numbers of 15 million Iranian users, as well as the associated user IDs. Researches said the hackers belonged to a group known as
Rocket Kitten. Rocket Kitten's attacks were similar to ones attributed to Iran's
Islamic Revolutionary Guards Corps. The attackers took advantage of a programming interface built into Telegram. According to Telegram, these mass checks are no longer possible because of limitations introduced into its API earlier in 2016.
[207]
On 30 March 2020, an
Elasticsearch database holding 42 million records containing user IDs and phone numbers was exposed online without a password. The accounts listed in the database were those belonging to users in Iran, extracted from an unofficial government-sanctioned version of Telegram. It took 11 days for the database to be taken down, but the researchers say the data was accessed by other parties, including a hacker who reported the information to a specialized forum.
[208][209][210]
In September 2020, it was reported there have been successful large-scale Iranian government phishing and surveillance by RampantKitten targeting dissidents in Telegram.
[211] The attack relied on people downloading a malware-infected file from any source, at which point it would replace Telegram files on the device and 'clone' session data. David Wolpoff, a former Department of Defense contractor, has stated that the weak link in the attack was the device itself and not any of the affected apps: "There’s no way for a secure communication app to keep a user safe when the end devices are compromised."
[212]
Really you dont have to be a brightspark, and these are only whats communicated.