Hong Kong protesters warn of telegram function that can reveal their identity



[ad_1]

telegram.jpg

Hong Kong software engineers today issued warnings against the use of Telegram for coordinating events due to a problem experienced in the instant messaging application.

According to them, the problem discovered may allow a threatening actor, such as law enforcement or Chinese intelligence services, to obtain the phone numbers used by users to register a Telegram account. The authorities can then find the identity of the protesters in the real world.

The issue is particularly dangerous for protesters who have been very active in public telegram groups, organizing or exhorting other users to attend the demonstrations.

Telegram plays a crucial role in protests in Hong Kong

Over the past few months, Hong Kong citizens have protested against a proposed Hong Kong government extradition bill, which would facilitate the sending of Hong Kong residents to mainland China to deal with to charges laid by the Chinese state.

Massive demonstrations involving more than one million people took place almost daily, because of what the locals see as a massive intrusion of the Chinese state into their daily lives.

In all these events, the instant messaging application Telegram has played a major role in helping residents organize their gatherings. For example, Telegram played a central role in the event that took place today. Protesters formed a human chain across the city on the occasion of the thirtieth anniversary of the 1989 Baltic Channel event.

The app is appreciated because it supports encrypted anonymous communications and its group chat feature has helped users organize events and pass on instructions to all attendees.

The application allows users to create an account by only using their phone number. To maintain their anonymity, users can use a nickname to hide their identity. They can also hide their phone number by selecting "Privacy & Security> Phone Number> Person" in the privacy section of the app.

New bug unveiled today

But earlier in the day, Hong Kong users began sharing on a popular local forum a message about what they called a bug in the Telegram app, which allows a threatening actor to unmask its phone number, even when this setting is set to "Person".

According to reports, an attacker can add tens of thousands of sequential phone numbers to the address book of a phone. The attacker then connects to a Telegram channel where events are organized and synchronizes his contacts with the Telegram application.

At this point, the Telegram app will tell the attacker which of the sequential phone numbers has an active account on the group of protesters.

Telegram from Hong Kong "data-original =" https://zdnet4.cbsistatic.com/hub/i/2019/08/23/ece82e1d-3032-4189-b001-54085a64b2ba/8468335fd89902a780bc58930215193c/telegram-hk.bng.png

Image: LIHKG

A law enforcement agency, or an intelligence agency, can then force local mobile operators to reveal the names of people behind these phone numbers. In the case of demonstrations in Hong Kong, Chinese officials could get a list of people who organized or coordinated events via Telegram.

After details about this bug were shared on LIHKG, a very popular discussion forum with Hong Kong residents earlier in the day, the bug was also independently confirmed by several Hong Kong software engineers.

This group of engineers has issued its own alert about this and has also tried to contact Telegram to solve the problem. They say the bug is easy to automate and exploit and was probably already used.

"The privacy of [Telegram] the phone number has always been a problem since the beginning of this year. We knew that setting the phone's privacy to "My Contacts" would allow your contacts to see your number. The activists have therefore always asked people to define "Person", hoping that the phone number would be masked in a public group, "said Chu Ka-cheong, director of the Internet Society Hong Kong section, and told Xinhua. one of the software engineers who confirmed this bug independently.

"It is not today that we are aware that the" Person "setting will allow users who have registered your phone number in the address book to match the phone number to members. This surprised everyone, "said Chu. ZDNet in an interview.

Users have advised to use burner SIM cards

"People who are worried about the leak of their phone number are leaving high-risk public telegram groups," she said. "This inevitably hampers the coordination of future events and actions."

Chu said that there was no workaround for this data leak at the moment, and that protesters advise each other to move to the use of etched SIM cards instead of their main phone numbers.

"But it will be difficult to ask the large crowd to change their phone number," Chu said.

Unfortunately, for many users, it may be too late.

"We suspect some government-sponsored attackers have exploited this virus and use it to target Hong Kong protesters, sometimes putting the protesters' lives at immediate risk," Chu said.

If the actors of the Chinese threat exploited this bug, it remains unclear, but they hit Telegram with other cyber-attacks at the beginning of the year.

Passing telegram is not an option

On the other hand, bring the protesters from Telegram to the negotiating table, said Chu ZDNet.

"Switching to another application such as Signal is not a viable option for us because the way that protesters communicate is highly dependent on the support of very large groups. […] Telegram has a very good support, "said Chu.

"On the other hand, Signal and Wire groups are limited to a few hundred people, and Signal makes your phone number visible to everyone.

"Some of us are already using Signal and Wire in a small, closed group, but public discussions and announcements will continue to rely heavily on Telegram."

Reply to the telegram

ZDNet solicited Telegram's comments earlier in the day and reviewed the problem reported by Hong Kong protesters.

"We have put in place safeguards to prevent the importation of too many contacts, simply to avoid this scenario," said a Telegram spokesman.

"In fact, our data shows that the bot displayed on the screen captures has been seen to prohibit any further import after two seconds – and has managed to import only 85 contacts (and not 10 000), "he said. "Once you are banned from importing contacts, you can only add 5 new numbers a day.The rest of the contacts you add will seem to not use Telegram, even if they are."

However, this prohibition limit can be bypassed. A determined actor, such as the Chinese state, can easily employ multiple robots to exploit this problem, instead of just one, and possibly import the entire sequence of phone numbers to cover.

Moreover, the problem here is what the Hong Kong protesters were waiting for compared to what they had. They expected the "Person" setting to prevent anyone from seeing their phone number, whether or not it's on their contact list.

But Telegram said that is not how this particular setting works.

"There is no bug: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts, which means that you have to be able to see your contacts who are also using the application," he said. declared the company.

"Phone number settings control the visibility of phone numbers for users who do not have your number (unlike WhatsApp that shows your phone number to all other members of any group) . "

Thus, Telegram basically says that once your phone number is added to the contact list, it will be able to see it, regardless of the setting chosen.

And Telegram warns users that the "Person" setting does not work as they think. Bug or no, this misunderstanding of the privacy control parameter of phone numbers has caused panic among many Hong Kong protesters. Although Telegram may dispute this as a "bug", users may not agree.

No telegram data "data-original =" https://zdnet3.cbsistatic.com/hub/i/2019/08/23/62b40d5e-d24c-4cc6-8ac4-2aa26009e3f0/2260ea16b63025cb54f56874d06c554c04c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6c5c6f5c6f5c6f5c6f5c6c4c6c6c6c1c6c6c6c6c6c6c6c6c6c6

Updated at 12:25 ET, shortly after the release, a second Telegram comment challenging this problem as a bug was added. Title updated accordingly.

[ad_2]

Source link