What’s wrong with Telegram?

The founder of Telegram was arrested in France on August 24 and accused of facilitating a number of crimes that he allowed to flourish on his messenger. This incident did not go unnoticed by the world media and ordinary users. The hackers also reacted: some came to the defense of the company’s director and attacked French websites, while others, on the contrary, supported law enforcement.

Hacker’s Choice was among those who spoke out against Durov and his service.

Pavel was not arrested for criticizing Macron. He was arrested for facilitating a wide range of crimes, including drug trafficking and racketeering. He should also have been arrested for lying to the public and having connections to the Kremlin. Anyone who knowingly and deliberately lies to citizens about security should be in jail,
– says the statement of the hacker association.

Before explaining their position on Messenger, activists present three reasons why, in their opinion, Telegram should be closely analyzed by law enforcement:

• Telegram is “NOT ENCRYPTED”. The entire history of your chats is fully stored on the app’s servers and will remain there forever.It allows anyone with access to the servers to read it. Here, the hackers cite a detailed study by Matthew Green, a cryptographer and professor at Johns Hopkins University, in which he lays out his thoughts on encryption in the app and explains why Telegram’s claim of being an “encrypted messaging app” is highly exaggerated. FALSE.
• Telegram is a shady company that does not disclose the details of its activities. In such companies, we know almost nothing about the executives, finances, business processes and other details that are usually publicly available.
• Telegram is probably an FSB operation.

A secret API steals your data and missing messages never go away

The authors of The Hacker’s Choice article say that they do not trust Telegram for a reason. In 2022, they worked on the Telegram API (a set of tools that allow developers to interact with software, accessing its processes, information, and functions) and discovered undocumented (i.e. hidden) features that allow a third party to download any group chatwithout you having to be in it. This works even in private chats that are hidden from prying eyes by settings.

Additionally, the hackers claim that: “Disappearing and automatically deleting messages on Telegram is a marketing nonsense”During the analysis, they removed “years’ worth of messages,” but later found they were all “nicely formatted with HTML,” with all usernames, metadata, media, audio recordings, and more.

Telegram built a slick API for extracting data. With all the bells and whistles. A well-organized backdoor. And then didn’t document it. FOR WHOM? Smells fishy to me
– They write on the blog The Hacker’s Choice.

Sanctions simulation

Researchers also recall incidents several years ago when Russian state authorities allegedly tried to block Telegram. As a result of this Roskomnadzor operation, much of the Russian Internet, including state websites, was down for several hours. However, Telegram still continued to function despite claims that it was banned, blocked, slowed down or otherwise taken down.

“Russia banned Signal and accepted [розробника WhatsApp] Meta is an extremist organization. Instead, the Russians are switching to Telegram, an unencrypted messaging app with an undocumented API for government-style data leaks. Think for yourself,” activists say, stating it directly. All news about Telegram ban is fake.

“All users in Russia continued to use TG without any problems. No bans. No restrictions,” the article continues.

Durov’s “conflict” with Russian authorities

Pavlo Durov left Russia after losing control of his first major project, the social network VKontakte. In fact, if you believe the theory that this was all a big FSB show, he was forced to sell it, or pretended to be forced to sell it. Durov very quickly announced that he would create a new social network, but it would be entirely smartphone-based and would not have a web version like traditional social networks. As a result, we have a messenger that has not looked like a social network for a long time, but has begun to “overgrow” with its typical functions in the last few years.

Pavlo claims that he left Russia because of a disagreement with the Russian state. I think in time we will learn that Pavlo left Russia to have a better negotiating position with the FSB: he is harder to control when he lives abroad and less prone to “window suicides.”
– Recommends Hacker’s Choice

“Where are the technical documentation for their engineers? Why don’t we see them in the public domain like we see Moxie Marlinspike, Meredith Whittaker, Phil Zimmerman? Why aren’t TG engineers at every IETF meeting where strong encryption and privacy are being developed? Why isn’t TG open about encryption? Why don’t they allow review? Or at least partially open it up to public review?” – hackers ask logical questions. But no one has the answers yet.

The hackers also note that Durov promoted a “smear” campaign against rival app Signal by claiming the service was “in cahoots with the government.”

“Bullshit. We’ve known the people at Signal since we were kids. They’ve earned our trust; they’ve fought tirelessly to make encryption accessible to the masses, and they’ve fought tirelessly in many other areas to help people get rid of their encryption. Control by authoritarian regimes. Russia banned Signal because [повідомлення] it is impossible to intervene. Activists added that Telegram was introduced instead.

In June 2020, the Russian dictator Putin praised Telegram as an example of “constructive cooperation”The report notes that opposition bloggers are “disappearing like flies.” On August 20, 2024, Durov traveled to Azerbaijan, and online speculation later emerged that the billionaire had traveled there to meet with Putin, who arrived there on August 18. It is not known whether such a meeting actually took place, but both sides denied it. On August 20, Putin was already in Chechnya.

Financing

We also don’t know the exact details of Telegram’s finances. Durov has always claimed he does it out of his own pocket, and even listed various amounts he allegedly spends on server maintenance.

The initial monetization of the service only began in the last two years with the launch of an advertising platform with a Premium subscription, paid features, and very high prices. This means Durov allegedly ran the company at his own expense for 10 years.

How realistic is it for a businessman to spend so much time to his own detriment – the question remains open and is at the discretion of each reader.

What do they want from Telegram?

Finally, the hacker group The Hacker’s Choice outlines the steps a company should take if it wants to position itself as a “secure messaging app” and continue to market itself as a service that “fights against oppressive governments”:

• Implementation of p2p encryption by default.
• Opening the source code. Hackers write: “Stop hiding your encryption. It’s not secure unless it’s peer-reviewed. What do you need to hide?”
• The API carries the scent of the FSB entity and this needs to be removed.
• Telegram is the service of choice for Russian blackmail groups, so this moment needs to be managed better.
• It is necessary to tell the world the fact that all messages are stored on servers even after they are deleted. The authors call for “STOP LIEING TO USERS”.
• It should be “obvious” to non-technical users that the service is not secure by default.
• “Stop hiding in the shadows. Get out there. Show us who you are. Meet us at conferences. Come to IETF. Show us what you can do. Your skills that go beyond data mining, storage and extraction.”
• “Explain where your money comes from. Tell us about your business plan. Show us your accounts, beneficiaries, corporate structure, and shed light on the background of each executive.”
• “Be more like Signal.”