Telegram rolled out an update to patch a number of security vulnerabilities with the MTProto protocol. A group of researchers from Royal Holloway, University of London analysed the MTProto encryption protocol used by Telegram and listed the flaws with the app’s cloud chats method.
The MTProto protocol is used by Telegram when users do not opt-in for end-to-end encryption (E2EE). Telegram’s MTProto protocol is the company’s version of transport layer security, or TLS, a popular cryptographic standard meant to ensure the security of data in transit.
TLS security does protect Telegram users against man-in-the-middle attacks to an extent but does come with its flaws, one of which is that it doesn’t stop servers from reading texts completely.
The protocol can also be reportedly exploited to re-order messages, which an attacker could use to manipulate Telegram bots. Another flaw allows attackers to extract plain text from encrypted messages. Found in Android, iOS and the desktop version of the app, the flaw would require a lot of work on the attacker’s part but still allowed extraction to be possible.
Telegram has now said that it has rolled out updates to the app, fixing the observations made by the researchers. “None of the changes were critical, as no ways of deciphering or tampering with messages were discovered,” Telegram added in a new blog post.
If you’re using Telegram on desktop, Android or iOS, now is a good time to get the app updated to the latest version from the App Store or Play Store to make sure these security vulnerabilities don’t make you a target for attackers.