Ola Flisbäck explains that by downloading a third-party command-line interface an “attacker” can quickly open up a whole load of Telegram metadata that could be used to identify who you’re talking to.
20,000 tech-heads descend on Amsterdam
Join us and 20,000 others at our 12th edition of TNW Conference. 2-for-1 tickets available soon.
Although it still takes a bit of additional detective work, if your settings show when you were last seen, the attacker, who only needs to know your phone number in order to start accessing this information, can start working out who you’re messaging.
Telegram on Android doesn’t require you to accept someone as a contact in order for them to add you to their address book, so you’re none the wiser.
“The Telegram Android app sends a notification to all contacts when it becomes or stops being the ‘foreground’ app on the device,” Flisbäck says.
“Using that information alone it’s at times easy to make guesses about who’s talking to who if you have several contacts in common with a ‘victim’.
“An ‘attacker’ will sometimes see the victim and another contact taking turns going active/inactive as they pass messages back and forth.”
The approach seems to work particularly well if the victim and attacker have mutual contacts, enabling the baddie to narrow down the list of possible people engaged in conversation by seeing who is online or offline at a given time.
The team over at Telegram told The Next Web that there’s a quick fix to this: “On Telegram you can control precisely who has access to your online and last seen status (see Settings — Privacy & Security — Last seen).
“Privacy settings operate on the API level, so it does not matter which apps are used — official or unofficial. If you’re not sharing your data, it can’t be accessed.”
While this does offer a workaround, it obviously doesn’t help if you haven’t yet realised this is happening.
And if you turn on this setting, you will also be prevented from seeing if other people are online, while Telegram also still displays an approximate last seen time for you.
There is an exception to this, which is if you message someone while not sharing data, you do appear online for a few seconds to that particular person.
You can also override all of this to specifically include or exclude certain people, as in the screenshot above.
Although this does start getting a little complicated!