Encrypted messaging app Telegram yesterday officially announced steps to curtail a vulnerability that could have enabled authorities to match protesters’ real names to their profiles in anonymous groups, explicitly citing Hong Kong’s long-running pro-democracy protests as part of their rationale.
Hong Kong’s protesters have heavily relied on Telegram to organize their actions — using its anonymity as a shield against authorities’ prying eyes, and its ability to reach large numbers of people instantly to coordinate the fast-moving, “be water” style of protest that has proliferated in recent weeks.
In a statement announcing the new privacy measures, Telegram said that it had envisioned its public groups — which can hold as many as 200,000 people — with “campuses, conventions and spaces where you could properly brag about your cats” in mind.
“However, Telegram communities are also increasingly used by people to organize themselves in the face of oppression,” the statement adds, pointedly including a hyperlink to a news story about Hong Kong on the word “oppression.”
“We believe that all people have a right to express their opinions and communicate privately. To further protect these rights, we‘re expanding Telegram’s arsenal of Privacy Settings today.”
The vulnerability was actually pointed out by Hongkongers about two weeks ago, and involved a loophole in a privacy setting that allows users to mask their phone numbers.
Need help from @telegram. We and multiple teams have independently confirmed a serious vulnerability that causes phone numbers to be leaked to members in public groups, regardless of the privacy setting. Telegram is heavily used in #hkprotest, it put HKers in immediate threats
— Chu Ka-cheong (@edwincheese) August 23, 2019
When the setting is enabled, the user’s phone number theoretically remains invisible, but if the number is already in another user’s contacts, it remains visible to that user.
According to a write-up of the bug by a team of software engineers in Hong Kong, someone seeking to exploit the vulnerability would only need to load thousands of numbers onto a device — the authors said they tested their theory by adding 10,000 — sync their contacts with Telegram, then check a group’s info to find matches.
Once the person — for instance, Hong Kong or mainland authorities — has identified a user’s phone number, attaching a real name to an account is as easy as contacting their mobile carrier.
“We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to life of the protestors,” the engineers’ write-up reads.
Telegram has already been the target of at least one state-backed attack originating in China. It reported a “powerful” DDoS attack aimed at crippling its servers on June 12, the day Hong Kong’s police first used tear gas and rubber bullets to disperse a massive crowd of largely peaceful protesters, setting the stage for many violent confrontations to come.
The Telegram patch announced today closes the loophole, adding a new setting that allows users to restrict access to their number to their own contacts, preventing strangers from scraping their number from groups.
Hong Kong netizens have already been publicizing the changes.
“Telegram has updated the privacy setting. Now only those in your contacts can find you by phone numbers, Update now!” one Twitter user said.
“Thank you Telegram,” said another. “Thanks for supporting Hong Kong.”