I am a massive fan of Telegram Mesenger. When Facebook announced it acquired WhatsApp, I immediately switched for privacy reasons. Miraculously I managed to convince 95% of my friends to install Telegram and switch too. But this week I found out it’s trivially easy to get access to someone’s message history.
Telegram stores users’ message history on its servers. Unless you delete that history, it’s accessible perpetually. That’s a bit scary, but as long as nobody can access your messages, that’s fine. Right?
Well, yeah, but then getting access to anyone’s Telegram account is trivially easy.
Using Webogram, an awesome open-source web client for Telegram, you can sign in to any account you have the phone number of, by simply authenticating via SMS.
iPhone and Android phones show new text messages by default as a notification on the lock screen. So, without unlocking the phone you can read the code and sign in to Telegram.
And ta da! We’re inside!
If you have physical access to someone’s phone, you can read the code and get access to their messages. Now physical access sounds quite a feat, but it’s not. It can mean sitting next to a co-worker, peeking over someone’s phone in the train, or even watching someone’s idle phone from a HD security camera.
I’d suggest Telegram adds some sort of extra authentication, e.g. adding an (optional) password to every phone’s account to make it more difficult to do this.