14 DAY TRIAL // Telegram, an instant messaging service that got a lot of bad publicity lately after it having been used by ISIS members to manage internal communications, was blasted once again, this time by a security known as The Grugq.
The service's claim to fame is its support for encrypted communications, along with a self-destruct mechanism for private messages. The network's recent numbers had its userbase at around 60 million.
Spurned by the recent attention the service has been receiving from the media, The Grugq has analyzed Telegram's operational security and found it to be extremely weak and downright negligent.
Contact theft, metadata, and Russian affiliation
According to the OpSec specialist, the Telegram Android app uploads without consent, the user's contacts list to their servers. Since each new account is tied to a phone number, this allows Telegram to create a map of all users.
Add to this the fact that Telegram also stores metadata about various other communications it provides, and the service, if ever compromised, can provide vast amounts of information about users and their communications.
Since Telegram is a Russian company, and we all remember what happened to VK's CEO last year when he was forced to leave the country after state-friendly shareholders bought a too bigger piece in his business, users should also be very wary about the security of their Telegram-stored data.
Since Edward Snowden's revelations showed that the NSA has secretly penetrated many US-based communications services and was hoarding large amounts of metadata, users that don't expect the same from Russia's secret services are just too naive to be allowed on the Internet.
Home-brewed encryption is not trusted by infosec experts
The Grugq's assessment of Telegram doesn't stop here though, he is also pointing out that the service's encrypted chat capability is not turned on by default.
Users are likely to be fooled by the company's false advertising, and most will have their private chats right out in the open. The Grugq points out that users need to go through special steps before starting a "Secret Chat," which defeats the purpose of promoting the app so aggressively as a secure medium of communication.
To his Telegram review, you can also add the opinion of Matthew Green, cryptography professor at the Johns Hopkins University in the US, who says that the service's encryption system might need some work, to put it lightly.
"In summary, Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout," says The Grugq. "I couldn’t possibly think of a worse combination for a safe messenger."
Besides the stingy OpSec review, Telegram's Russian connection and the unexpected ISIS' affiliation have put the service on a downward spiral, and the company may need to hire a PR company pretty soon if it plans to keep those 60 million users on its service.