Security researchers have warned that Telegram, a secure messaging app, could leak metadata and expose users to stalking.
Telegram was launched in 2013 by two Russian brothers and bills itself as a comms tool for those who value privacy and security.
The app has been in the news recently when it was discovered to be used by so-called Islamic State ahead of and during the Paris terrorist attacks earlier this month.
According to Ola Flisbäck, a consultant at Sony Mobile Communications, the app makes it easy for people to focus on an individual just by observing presence and status notifications.
Telegram allows users to see who is online. When the app is opened, it lets users who are in your contact list know you are available for chats. When the app is closed, it also notifies others that you are offline. The trouble is that by using a command line interface, it is possible to see who has contacted whom, at what frequency and what time.
“I was surprised to see the amount of metadata received from my contacts. Most of the metadata is not directly visible in the web and mobile clients, but using a third-party client such as vysheng's CLI client any received metadata is displayed,” he said on a Github posting.
By looking at the metadata, an attacker can sometimes “see the victim and another contact taking turns going active/inactive as they pass messages back and forth,” he said.
The metadata is a considerable problem in itself, “but what makes it worse is that Telegram does not require contacts to mutually agree that they should be connected!” Flisbäck said.
“As long as an attacker knows the phone number of the victim and adds it to the Android contacts, the victim will show up as a Telegram contact and the attacker will automatically subscribe to the victim's metadata. As a bonus, the victim will not be notified in any way and the attacker will not show up among the victim's Telegram contacts,” he said.
An attacker could then guess what contacts a victim has in Telegram and add them as contacts in Android which would then automatically make them contacts in the app itself and prompt analysis of the metadata.
“Using the metadata the attacker may have a good chance of figuring out who the victim is communicating with and when. That's quite problematic for an app focusing on protecting your conversations from snooping third parties,” he warned.
Flisbäck's findings come less than two weeks after a security researcher named grugq posted on Medium about issues concerning Telegram, among them being that Telegram uploads a user's phone contacts to its database in order to build up a picture of who knows whom. Grugq also complained about metadata being exposed on mobile devices and how difficult it is to set up secret chats that aren't as secure as users think as encryption hasn't been enabled.
Justin Clarke, director at Gotham Digital Science and London OWASP Chapter Leader, told SCMagazineUK.com that based on blog posting, stalking via Telegram would be easy, “especially if Telegram is sending you metadata about contacts who you've only added by phone number to your contacts, and not had to go through any form of mutual ‘friend request' process”.
Clarke said: “The would-be stalker would be able to infer that messages were being sent between two parties – you wouldn't be able to know what those were, and it wouldn't be 100 percent reliable, but you'd have a pretty good idea of who is talking to who, and when.”
He didn't believe that the encryption offered by the service would prevent users begin stalked. “Not that this doesn't allow you to intercept or otherwise be able to derive what is being sent between the two parties. But often, knowing that two people are talking at all may well be enough for any would-be stalker,” he said.
Clarke added that the only way to prevent stalking via Telegram was to uninstall it. “Telegram requires the use of a phone number for registering, so if the stalker has your number then this will be possible until (and if) Telegram release an update to fix this issue.”
He said this type of "side channel" information is common in apps, but it's usually not easy to derive anything useful out of it without access to someone's phone or the traffic between them. “In this case, you can derive the information about a conversation without being present, and without the parties being aware of it, and that's bad,” said Clarke.