Vendor doesn't reply to responsible vulnerability disclosure

Feb 24, 2015 13:34 GMT  ·  By

Cross-platform messenger app Telegram offers communication between two parties that is supposed to be encrypted, but messages can be easily extracted in clear text, a researcher has found; the company did not respond to responsible vulnerability disclosure messages.

The application has versions for desktop platforms (Windows, Linux and Mac), as well as for mobile platforms (Windows Phone, iOS and Android). A web version is available, too.

According to information from the developer, Telegram had 50 million active users as of December 8, 2014, who sent and received one billion messages on a daily basis; all this in just 16 months since its release.

The Telegram challenge

Telegram developers boast about the end-to-end encryption provided in the program and have launched contests with a $300,000 / €265,000 incentive for anyone who wants to try to crack the encryption used to protect the messages.

In the latest round, which ended at the beginning of February with no winner, contestants could act as a Telegram server that facilitates the delivery of information between the interlocutors. It was permitted to deploy any type of active attacks or methods for traffic manipulation.

In the previous contest, with a prize of $200,000 /€176,000, Telegram allowed the contestants to monitor the traffic between the two clients, which is basically a challenge to break the encryption securing the messages.

Simpler approaches are more successful

Zuk Avraham from Zimperium Mobile Security managed to find the secret text through a different approach that led to finding the strings in a non-encrypted form.

He started from the premise that hackers do not play by the rules and relied on an exploit for a Linux kernel vulnerability (CVE-2014-3153, also known as TowelRoot) to gain elevated privileges on the affected machine, and thus extracted Telegram’s process memory. By analyzing the dump file, he could easily find the text strings used for the test.

Taking advantage of the root shell access he gained on the machine with TowelRoot, he found among the files of the application an SQL database called “Cache4.db,” which appeared to include tables with encrypted content (“enc_chats” and “enc_tasks_v2”).

Brief examination showed that they indeed included the communication, but it was in plain text and all the messages used during the test could be seen.

On the list of features touted by Telegram there is also the possibility to define the lifespan of the exchanged text through a self-destruct option. Avraham was not able to do this, though, on account of a bug that is not security-related, he assumes.

However, he was able to retrieve deleted messages straight from the memory of the process, which would be of more interest to an attacker since it allows putting together entire conversations.

Telegram fails to respond to responsible disclosure attempts

Zimperium tried to contact Telegram several times since the discovery of the security flaws on January 17, 2015. The first attempt occurred the very next day after their findings, but the vendor did not reply.

The mobile security company has a vulnerability disclosure policy of 30 days, which means that if a month passes and the affected party does not answer to the notifications regarding security flaws, Zimperium publishes the research.

The policy says that the vendor is contacted several times (every five business days, through various communication means including email, direct phone calls or intermediaries) if contact cannot be established at the first attempt.

“If Zimperium exhausts all reasonable means in order to contact a vendor, then Zimperium may issue a public advisory disclosing its findings fifteen business days after the initial contact,” the text of the policy reads.

In the case of Telegram, Zimperium says that it attempted contact four times, between January 18 and February 2, but no response was received. On Monday, the company made the glitches public.

[UPDATE]: Telegram CEO, Pavel Durov, published a response to Zimperium's report on the vulnerable state of the app. Durov rejects the validity of the findings since encryption no longer has value if an attacker has root access to the target device.

Decrypted Telegram messages (4 Images)

Lock implies encrypted communication
Messages extracted from the process memoryContent of cache4.db SQL database
+1more