This document describes a security vulnerability of Telegram that discloses phone numbers of any user in public Telegram groups, regardless of users’ privacy settings.
The bug was first reported in a Hong Kong discussion forum that is popular among Hong Kong protestors: https://lih.kg/1497612
We are a team of software engineers in Hong Kong and our team have independently verified the bug.
The bug was already made public, and it has high impact and low attack complexity. We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to life of the protestors. We are writing up the bug here and requesting Telegram to respond to this serious issue as soon as possible.
Here is the case and the steps to reproduce the bug:
Alice’s phone number will never be shown in Telegram group info because she has set the phone number privacy to Nobody.
Mallory can see Alice's phone number in Group info. In theory, if Mallory adds enough phone numbers, she can uncover the phone number of any members in public groups. It is a real threat for us because the space for phone number in Hong Kong is limited.
We have independently verify the bug with these settings:
Telegram has a very important role in the current Hong Kong protests. We have been using Telegram to coordinate many demonstrations and direct actions in decentralized fashion. And we can only do it because Telegram provides enough level of anonymity to protestors.
The bug leaks the phone number of users, regardless of their privacy settings, to any other members with groups in common. It causes severe harm to the privacy all Telegram users, including people who are in need of communicating freely in order to protect their freedom.
Adding large number of phone numbers to address book and sync to Telegram
Phone number of unknown people in public groups is visible in Group info, even the Phone Number Privacy was set to Nobody