Cyber thugs have been exploiting a zero-day flaw in the Telegram Messenger desktop app in order to mine for cryptocurrencies or to install a backdoor to remotely control victims’ computers. Kaspersky Lab discovered “in the wild” attacks on Telegram Messenger’s Windows desktop client back in October 2017. 

The vulnerability in the popular Telegram app had been actively exploited since March 2017 to mine a variety of cryptocurrencies, such as Monero, Zcash, Fantomcoin and others. Yet the multi-purpose malware being delivered was capable of doing more than secretly use the computing power of victims’ machines to mine cryptocurrencies. 

Today, researchers at Check Point Security announced a new attack against WhatsApp and Telegram, targeting the way both chat services process images and multimedia files.

In the WhatsApp case, Check Point was able to craft a malicious image that would appear normal in preview, but direct users to a malware-laden HTML page. Once loaded, the page will retrieve all locally stored data, enabling attackers to effectively hijack the user’s account. The vulnerability was reported to both services on March 8th, and both have changed their file upload validation protocols to protect against the attack.

Despite saying that he “respects” Telegram’s founder, Russian Pavel Durov, NSA whistleblower Edward Snowden said the messenger lacks security at its default settings. “I respect @durov, but Ptacek is right: @telegram's defaults are dangerous. Without a major update, it's unsafe,” former CIA employee tweeted.

Snowden was referring to a specialist in cryptographic and embedded software security, who tweeted that Telegram’s plaintext is stored on the server. Pointing towards the vulnerability of such a setup, Snowden hinted that the plaintext of the messages should not be accessible to a service provider at all for a connection to be truly secure.

Researchers discovered another round of privacy challenges for Telegram, the messaging app founded by Russian tech entrepreneur brothers Nikolai and Pavel Durov.

Sony Mobile Communications consultant Ola Flisbäck found that the messaging app displayed metadata that allows attackers to determine who Telegram users are messaging. Flisbäck was “surprised by the amount of metadata received” about contacts, he wrote on Github. The app's metadata can also be exploited by a third party command-line interface client, providing attackers with more data to determine who the user is interacting with on Telegram.

The terrorist groups are encouraging its followers to use Telegram to make their propaganda invisible from law enforcement, but some security experts believe that Telegram may not be as secure as jihadi advocates may like to believe.

Telegram is an end-to-end encrypted messaging service that has been adopted by a lot more people than ISIS — as of last year, the company claimed more than 50 Million Telegram users sending 1 Billion messages per day. Terrorists love Telegram because it not only provides an encrypted Secret Chat feature that lets its users broadcast messages to unlimited subscribers but also offers self-destructing message.

This past spring, Juliano Rizzo and I came up with a cryptographic attack on Telegram's MTProto "secret" chat communications which can be performed in roughly 264 operations. The attack happens from an active MITM position on Telegram's servers.

By default, messages sent by users which are not part of a secret-chat are logged and stored on Telegram's servers in a way that allows Telegram to view the message contents and hand them out to intended parties. This always holds true when a conversation can move across devices. Those chats are not private, so users should be very careful. 

United Capital Partners, a Russian investor who holds 48% of VKontakte, the second largest social network service in Europe after Facebook, got involved into public discussion around an encrypted IM application Telegram.

Supposedly UCP sent out a letter to Russian media companies describing in detail three negative scenarios for Pavel and Nikolai Durov, creators of Telegram, who also launched “VK” in 2006. The letter included copies of experts’ documents trying to prove that Telegram’s claim as a secure messenger is worthless. United Capital Partners officials refused their relation to the letter.