Telegram vulnerabilities: A guide to staying safe

Key takeaways

• Telegram offers end-to-end encryption (E2EE) only in “Secret Chats.” Regular chats are server-client encrypted, meaning Telegram can access the content.
• Messages and media are stored on Telegram’s servers, raising privacy concerns if compromised.
• Telegram has addressed past vulnerabilities, such as message reordering and plaintext recovery, but potential future issues remain a concern.
• Use strong passwords, enable two-step verification, report suspicious content, and be cautious about what information you share to stay safe.

Telegram is often preferred over other messaging apps due to its speed, versatility and commitment to privacy. But, like any technology, it doesn’t shy away from vulnerabilities. Despite its end-to-end encryption (E2EE) in Secret Chats and reputation as a secure, crypto-friendly app, it has faced several issues that have raised cybersecurity concerns — and there are some risks users should be aware of.

Plus, events like the arrest of Pavel Durov, Telegram’s founder, have added to the platform’s uncertainty. Considering these issues, this guide will walk you through the potential vulnerabilities of Telegram and provide practical tips on staying safe while using the app.

After all, to protect your personal data, you must be aware of these risks, regardless of how frequently you use Telegram for communication.

Telegram’s MTProto protocol

MTProto lies at the core of the Telegram Messenger application. Let’s explore MTProto in more detail:

What is MTProto?

Telegram uses a proprietary encryption protocol called MTProto. The protocol ensures the security of the messages you send and receive via the platform. In Secret Chats, E2EE resembles having a private tunnel only accessible by you and the recipient. Telegram has optimized MTProto for efficiency and speed, particularly on mobile networks.

How does it work?

MTProto blends several encryption techniques. It uses 256-bit AES encryption to scramble data, 2048-bit RSA encryption to facilitate safe key exchanges, and the Diffie-Hellman key exchange to establish a shared secret between the two parties involved in the conversation. Without the right decryption keys, you cannot read the messages even if you intercept them.

Did you know? MTProto, the encryption protocol used by Telegram, was initially designed for a game called “Mafia” that Pavel Durov, Telegram’s founder, created. The protocol’s focus on speed and efficiency, developed for the game, later proved invaluable in Telegram’s messaging platform.

How does Telegram implement MTProto?

Telegram employs MTProto slightly differently in both regular and Secret Chats. Regular “Cloud Chats” encrypt communications between your device and Telegram’s servers, but Telegram can still access the messages if needed. For example, Telegram may access messages to sync them across devices. But in Secret Chats, MTProto is paired with E2EE, meaning nobody, including Telegram itself, can read the messages. The conversation exists only between you and the recipient.

Comparing encryption protocols: Telegram, WhatsApp and Signal

Telegram’s client-side code is open-source, but the server-side code remains proprietary. It provides E2EE only for Secret Chats, as noted above. 

The Signal protocol, on the other hand, is open-source and provides E2EE for voice and instant messaging, whereas WhatsApp uses closed-source code but utilizes the Signal protocol for secure multi-device communication.

Here’s how Telegram’s MTProto compares with WhatsApp and Signal on the basis of E2EE and cloud backup functionality:

Telegram

• E2EE: It is not enabled by default in Cloud Chats; it is only available in Secret Chats. Regular chats employ server-client encryption, which means Telegram servers can access the contents.
• Cloud backups: Due to cloud-based storage, users can view their messages on any device.

WhatsApp

• E2EE: It is turned on for all calls, media and chats by default. But once the media is downloaded to your device, it is no longer protected by E2EE.
• Cloud backups: All WhatsApp chats and calls are E2EE-enabled by default. Only the communicating users can read the messages.

Signal

• E2EE: Enabled by default for all types of communications, including text, calls and media. As no data is kept on Signal’s servers, it is safe even in case of a hack.
• Cloud backups: Signal was developed with privacy in mind. It includes features like no cloud backups by default, disappearing messages and metadata minimization.

Notably, all three apps have faced encryption issues. WhatsApp keeps metadata, making it less secure than Signal, which doesn’t store metadata. But even Signal isn’t immune — network monitoring can still track traffic patterns. 

WhatsApp has faced attacks where encrypted data is linked to visible metadata, and government surveillance concerns these apps. Plus, both store data on your device and messages sent across platforms can be intercepted.

Similarly, Telegram’s MTProto encryption has its fair share of shortcomings, particularly about IND-CCA (indistinguishability under chosen ciphertext attack). A 2015 paper demonstrated that MTProto, the protocol used by Telegram, fails to meet IND-CCA standards and does not ensure the integrity of ciphertexts (INT-CTXT). 

Let’s dive deeper into Telegram vulnerabilities.

Key vulnerabilities in Telegram

Despite its widespread use in communication, Telegram has certain vulnerabilities and potential security concerns, including:

Encryption concerns

• Not everything is end-to-end encrypted: Only Secret Chats support E2EE on Telegram. Cloud Chats are encrypted but technically accessible by Telegram if required, which could be a concern if you prefer complete privacy. Plus, the likelihood that someone will be the target of social engineering or coerced into disclosing something inappropriate increases with the number of users in a group chat. 
• Custom encryption protocol: Telegram uses an encryption method called MTProto, which was criticized in a 2016 Gizmodo article suggesting that not all chats are fully secure. 

Cloud storage risks

• Data lives on Telegram’s servers: Your regular messages and media are stored in Telegram’s cloud (centralized storage and a big target for attackers). If its servers ever get hacked or if Telegram has to hand over data to governments, your information could be at risk. 
• Trust privacy policy: You have to trust Telegram’s privacy policy regarding your data. If you think your data is being kept longer than you think, that could be a problem. 

Risks from APIs and bots

• API exploits: Hackers might use any weaknesses in third-party integrations or Telegram’s application programming interface (API) to access your data and interfere with the service.
• Bots can be a problem: Telegram permits the usage of bots, which can be useful but potentially pose a security concern if the bot isn’t thoroughly audited. A malicious bot might access your data or carry out dubious actions.

Metadata exposure

• Phone number required: You must provide your phone number to sign up on Telegram. This may not be ideal if you’re attempting to maintain your anonymity because it connects your account to something that could be traced back to you.
• Watching your moves: Telegram can’t see the content of your messages but still collects metadata — who you’re talking to and when — even if your messages are secure. This can clearly show what you are doing on the platform.

Secret Chat issues

• Limited to a single device: Secret Chats can only be accessed on the device you initiated them. This means if you don’t enable Secret Chats, you will be using Telegram’s Cloud Chats by default, which are not end-to-end encrypted. Plus, cryptographer Matthew Green from Johns Hopkins University criticized Telegram’s end-to-end encryption feature, saying it’s “oddly difficult” for non-experts to activate.
• Self-destructing messages can be tricky: Even though Secret Chats allow you to set messages to self-destruct, that doesn’t stop someone from taking pictures using a different phone.

Phishing and social engineering risks

• Impersonation risks: Attackers can easily impersonate people on Telegram since anyone can create an account with a username that sounds similar to someone else’s. Phishing attacks or the dissemination of misleading information may result from this.
• Social engineering attacks: While the fact that you can communicate without disclosing your phone number is a privacy benefit, it also makes it easier for someone to pose as someone else and trick you into disclosing private information.

Did you know? Telegram welcomes security feedback at security@telegram.org. If your suggestion leads to a code or configuration change, you could earn a bounty ranging from $100 to $100,000 or more, depending on the impact of the change!

In addition to the above-mentioned risks, a group of researchers looked deeply into Telegram’s security and came to eye-opening conclusions in a paper published under the title “Four Attacks and a Proof for Telegram.” They found several security holes that would have endangered Telegram users.

Let’s understand what those vulnerabilities are:

Message reordering vulnerability

• Issue: An attacker could reorder messages sent from a client to the server on the network, potentially changing the meaning of your conversations. For example, “I say yes to all the pizzas” could be swapped with “I say no to all the crimes.” 
• Impact: Potential manipulation or serious misinterpretation of the communication. Imagine a message: “I say yes to all the crimes.” Horrible, right?
• Fix: Telegram confirmed and addressed this issue in version 7.8.1 for Android, 7.8.3 for iOS, and 2.8.8 for Telegram Desktop.

Message encryption detection

• Issue: Under specific conditions, an attacker could detect which of two special messages was encrypted by your app (client) or the server.
• Impact: While primarily theoretical, this vulnerability could leak minor details about the message encryption process, which isn’t ideal for cryptographic security.
• Fix: Telegram confirmed and fixed the issue in the same versions mentioned above.

Plaintext recovery attack

• Issue: Under specific circumstances, an attacker could figure out parts of your encrypted messages by flooding you with millions of specially crafted messages. The researchers found this issue in three Telegram clients — Android, iOS and Desktop.
• Impact: If successfully carried out, this attack could compromise the confidentiality of Telegram messages. But it isn’t easy to execute.
• Fix: Telegram rolled out updates to address this vulnerability in the mentioned clients.

Man-in-the-middle attack on initial key negotiation

• Issue: An attacker could trick your app into thinking it’s connected to Telegram’s server when it’s really not, allowing them to read and alter your messages.
• Impact: This attack would require sending billions of messages very quickly for a successful launch. Although it’s tough to pull off, it could let an attacker secretly read or change your messages if successful.
• Fix: Telegram implemented server-side mitigations and added additional security measures in client versions 7.8.1 for Android, 7.8.3 for iOS and 2.8.8 for Desktop.

Please note that the latest official versions of Telegram apps have been updated to address the four issues identified by the researchers. But if you cannot trust a proprietary app like Telegram, concerns about potential backdoors or hidden vulnerabilities that haven’t been discovered yet will always persist.

Did you know? Telegram’s development team doesn’t do separate security updates. Instead, it rolls out fixes as part of its regular updates without making a big announcement. So, if you’re a Telegram user, staying on top of app updates is crucial for keeping your communications secure.

Countries where Telegram is banned or restricted

Surfshark and Netblocks reported that 31 countries have banned or restricted Telegram since 2015, affecting over 3 billion people globally. 

Here are some of the countries where Telegram has faced bans or scrutiny: 

• United Kingdom: In response to allegations that Telegram channels were used to organize anti-immigrant riots in August 2024, tighter regulations were implemented.
• Germany: Considered banning Telegram in 2022 after identifying channels that may have violated hate speech laws. It ultimately imposed a 5-million-euro fine for noncompliance with local regulations.
• Spain: Temporarily banned Telegram in March over copyright concerns but swiftly reversed the decision.
• Norway: Banned government officials from using Telegram on work devices because of national security concerns.
• China: China has blocked Telegram since 2015, following a distributed denial-of-service (DDoS) attack on its servers, which some suspect was used to justify censorship.
• Indonesia: Blocked in 2017 for hosting forums and channels that promoted radicalism and terrorism, with demands for better content control mechanisms.
• India: Not officially banned but has faced restrictions and increased scrutiny due to its use in spreading misinformation, illegal content and role in organizing protests.
• Ukraine: The app has played a vital role in wartime communication, but there are concerns about its possible exploitation by Russian entities.
• Belarus: During the 2020–2021 Belarusian protests, Telegram was crucial for organizing rallies amid an internet shutdown, and Apple later asked to remove protest channels.
• Brazil: In February 2022, Brazil’s Superior Electoral Court briefly suspended Telegram over fake news and ignored court orders. The ban was lifted two days later. In April 2023, Telegram was fined and suspended again for not fully complying with a neo-Nazi investigation.
• Russia: Russia banned Telegram from 2018 to 2020 after its CEO refused to share user data, but the app remained popular and was used by government departments such as the Foreign Ministry and the COVID-19 task force.
• Iran: Telegram was banned in 2018 for its role in facilitating anti-government protests and spreading uncensored information.
• Pakistan: The app has faced intermittent bans due to concerns over its use for spreading extremist content and bypassing government censorship.
• Cuba: The government restricted access to Telegram to curb the organization of anti-regime demonstrations and the spread of dissenting views.
• Thailand: Telegram was banned in 2020 for its use in organizing pro-democracy protests against the government.
• Egypt: Occasionally restricted during political unrest as the government seeks to control communication and prevent protest organizations.

How to keep your Telegram account safe

Many people use Telegram without first taking the time to learn how it works. Understanding how to navigate and use Telegram properly is key to keeping your account and content secure.

• Share sensibly: Be cautious when sending images, videos and texts. Take into account that even disappearing messages can be compromised if someone captures a shot of it before it gets timed out.
• Never reveal your passcode: Your passcode prevents unauthorized access to your chats. Take care not to disclose your passcode to anyone.
• Recognize false information: Not all information shared by people on the app is true. Be aware to recognize misinformation and deepfakes.
• Report improper content: Telegram enables you to report unlawful, improper or abusive content. To access reporting features, tap the three-dot icon at the upper-right corner and tap “Report.”

 

But what if your Telegram account has been hacked? First of all, you shouldn’t panic in case your account has been compromised. Terminate active sessions under “Settings > Privacy and Security” to regain access and protect your account. 

Next, set up a strong local passcode and enable two-step verification. If access is lost, contact Telegram support for assistance. Afterward, review and adjust privacy settings and stay vigilant against future hacking attempts.

In short, maintaining the security of your Telegram account necessitates a mix of preventive actions. Remain alert, watch for questionable activities, and don’t be afraid to ask for help when needed. Investing in your online security is always worthwhile.