A new security problem should concern anyone who has recently switched WhatsApp to Telegram or is considering doing so. Here are the facts.
The new reality for Facebook’s flagship messaging platform, WhatsApp, is that the landscape has changed since its nightmare start to 2021. Signal has moved from niche to mainstream. Telegram, which was widely used in the west, has seen a significant increase in use in western markets. This is in addition to its historical strength in less-open markets. Each user will be able to benefit from the network effect, which will bring millions more people to it.
As I have explained, although Signal is more secure that WhatsApp, Telegram does not. Telegram’s cloud-based architecture poses a significant risk compared to Signal’s end-to-end encryption and WhatsApp’s protocol.
Telegram group messages are encrypted between your phone and Telegram’s Cloud. Your message history and chat history are also stored on Telegram’s Cloud. If you transfer your WhatsApp chat history (which is not wise), this will also be stored on Telegram’s cloud. Telegram holds the keys to decrypt any data you store on the cloud. This is the same as the encryption issues that Apple and Google cloud backups have.
This is evident in the campaign by law enforcement agencies to compromise encryption, which allows lawful monitoring of user content and interception. This is what the industry rightly argues. Such compromises would invariably weaken security for all. If you are concerned about serious issues such as child safety, it is better to deploy metadata monitoring (as Facebook does) or to restrict the availability of encryption at all, possibly by age or when a smartphone has been linked to an account.
Telegram will not discuss the serious security issues it has when compared with Signal and WhatsApp. Its claims that it is safer than WhatsApp are clearly false. End-to-end encryption is the best in the messaging industry. Period. Telegram always refers to its secret chats. These are encrypted from end-to-end, but can only be used between two people on one device, bypassing the cloud storage.
A security report published this week has revealed new vulnerabilities. Dhiraj Mishra, the researcher behind this report, told me that even though the messages were deleted, the conversations that were sent and received in Telegram macOS did not disappear. Mishra also discovered that audio and video attachments that were secretly sent could have been found on the same storage path that Telegram’s default encrypted messages.
Mishra also discovered that Telegram stored locally held MacOS passcodes in plaintext. He said that Telegram could be used as a local attack vector to view chats of end users and bypass the control.
Although this is a less severe issue, it doesn’t mean that security should be a priority. A Telegram endpoint breach could have serious consequences due to access to the cloud storage. The architecture allows instant multi-device access, always sync’d messaging and allows draft messages to be created on one device and finished on another. Security-wise, however, all this comes at a high price.
Mishra claims that Telegram fixed both of these issues in version 7.4 and paid him a bounty. The platform has not responded to my request for comment.
These issues were disclosed and fixed. This is just one more reason why switching from WhatsApp to Telegram with its inability to support default end-to–end encryption is bad. Pavel Durov is the founder of Telegram. He stated that Telegram was the most downloaded app in the world in January 2021. This is because users are switching from WhatsApp’s end encryption to Telegram’s cloud-based option.
Mishra states that she has identified other vulnerabilities in Telegram. Telegram leaks sensitive information, even when using e2ee secret messaging technology. “The quality of Telegram’s e2ee could be improved” This makes it much easier for millions of WhatsApp users to make or consider that switch. Only Signal is a truly superior alternative.
“Use Signal,” Mishra confirms, telling me that “Signal REDACTs sensitive endpoints–sessionID, attachementDownloads etc–keeping all this in mind, Signal textsecure protocol is better than Telegram and WhatsApp.”
Mishra suggests that you delete all your “Cloud Drafts” under “Privacy and Security” and limit your Telegram conversations. Many cryptologists have criticised Telegram’s security model in the past.
This new report aside, there is no need to hurry to move from WhatsApp because of this year’s privacy backlash. Nothing has changed. You can use Signal and WhatsApp simultaneously, as I have said in the past weeks. As more of your contacts do so, you will find yourself using Signal more often and WhatsApp less. That’s fine security- and privacy-wise.