Telegram has rolled out an update to patch security vulnerabilities that a group of researchers highlighted recently with the company's MTProto protocol. Researchers from Royal Holloway, University of London analysed this encryption protocol used by Telegram and highlighted the flaws in its cloud chats method. The MTProto protocol is used when users do not opt-in for end-to-end encryption (E2EE). Telegram has said it has rolled out updates to its app and they “already contain the changes that make the four observations made by the researchers no longer relevant”.
In its latest blog post, Telegram acknowledged the vulnerabilities highlighted by the researchers and said that the latest version of its app comes with fixes for all the flaws mentioned. It further adds: “None of the changes were critical, as no ways of deciphering or tampering with messages were discovered.”
While E2EE is the most preferred method for securing chats, Telegram also uses a protocol called MTProto to secure its cloud chats. This is the company's version of transport layer security (TLS) — a popular cryptographic standard meant to ensure the security of data in transit. TLS protects Telegram users against man-in-the-middle (MITM) attacks to a certain extent but does not stop servers from reading texts completely. One such flaw included the ability to re-order messages and an attacker could use this vulnerability to manipulate Telegram bots.
The researchers also found a flaw that could allow hackers to extract plain text from encrypted messages. This flaw was found in Android, iOS, and desktop versions of Telegram. Telegram notes that extracting text through the mentioned flaw would require a significant amount of work by the hacker.
In any case, all of the flaws mentioned by the researchers are said to have been fixed with the latest update. If you use Telegram, ensure that you are on the latest version by going into your device's app store and installing the latest update.