Hong Kong software engineers have published warnings today against using Telegram to coordinate protests due to an issue in the instant messaging app.
They say the discovered issue can allow a threat actor, such as Chinese law enforcement or intelligence services, to obtain the phone numbers users utilized to register a Telegram account, which authorities can then track down to protesters' real-world identities.
The issue is especially dangerous for protesters who have been very active in public Telegram groups, either arranging or urging other users to attend protests.
Telegram plays a crucial role in the Hong Kong protests
For the past few months, Hong Kong citizens have been protesting against an extradition bill proposed by the government of Hong Kong, which would make it easier to send Hong Kong residents to mainland China to face legal charges put forward by the Chinese state.
Massive protests with over a million attendees have been taking place almost daily, due to what locals see as a massive intrusion of the Chinese state into their daily lives.
In all of these protests, the Telegram instant messaging app has played a major role in helping residents organize their gatherings. For example, Telegram played a central role in a protest that took place today, with protesters forming a human chain across the city on the 30th anniversary of the Baltic Chain demonstration from 1989.
The app is loved because it supports encrypted anonymous communications, and its group chatting feature has helped users organize protests and pass instructions to all attendees.
The app allows users to register an account using nothing but their phone number. To keep their anonymity, users can use a nickname to mask their identity, and can also hide their phone number from others by selecting "Privacy and Security > Phone Number > Nobody" in the app's privacy section.
New bug disclosed today
But earlier today, Hong Kong users have started sharing a message on a popular local forum about what they called a bug in the Telegram app that can allow a threat actor to unmask their phone number, even when this setting is on "Nobody."
Per reports, an attacker can add tens of thousands of sequential phone numbers to a phone's address book. The attacker then connects to a Telegram channel where protests are being organized and syncs their contacts with the Telegram app.
At this point, the Telegram app will tell the attacker which of the sequential phone numbers has an account active on the protesters' group.
A state law enforcement agency, or intelligence service, can then force local mobile telcos to disclose the names of the persons behind those phone numbers. In the case of the Hong Kong protests, Chinese officials could get a list of people who organized or coordinated protests via Telegram.
After details about this bug have been shared on LIHKG, a very popular discussion board for Hong Kong residents earlier today, the bug was also independently confirmed by several Hong Kong software engineers.
This group of engineers has issued their own alert on the matter, and also tried reaching out to Telegram to get the issue fixed. They say the bug is trivial to automate and exploit and was most likely already used.
"The privacy of [Telegram] phone number has always been an issue since early this year. We knew that setting the phone privacy to 'My Contacts' will allow your contacts to see your number, so the activists have been always asking people to set to 'Nobody,' expecting that will hide the phone number in public group," said Chu Ka-cheong, Director at Internet Society Hong Kong Chapter, and one of the software engineers who independently confirmed this bug.
"Not until today we aware that setting to 'Nobody' will still allow users who saved your phone number in address book to match phone number to public group members. This surprised every one of us," Chu told ZDNet in an interview.
Users advised to use burner SIMs
"People who worry about their phone number leaked are quitting high-risk public Telegram groups," she said. "This inevitably hinders the coordination of future demonstrations and actions."
Chu said that there's no workaround for this data leak for the moment, and protesters are advising each other to switch to using burner SIM cards instead of their main phone numbers.
"But it will be hard to ask the large crowd to switch their phone number," Chu said.
Unfortunately, for many users, this may be already too late.
"We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to the life of the protestors," Chu said.
If Chinese threat actors exploited this bug remains unclear, but they did hit Telegram with other cyber-attacks earlier this year.
Switching from Telegram is not an option
On the other hand, getting protesters to switch from Telegram is off the table altogether, Chu told ZDNet.
"Changing to a different app like Signal is not a viable option for us. Because the way the protestors communicate heavily depends on the support of very large groups [...] in which Telegram has really good support," Chu said.
"On the other hand, Signal and Wire groups are limited to a few hundred people, and Signal makes your phone number visible to everyone anyway.
"Some of us are already using Signal and Wire in a small closed group, but public discussions and announcements will continue to heavily depend on Telegram."
ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters.
"We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.
"In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."
However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover.
Furthermore, the issue here is what Hong Kong protesters expected, compared to what they got. They expected that the "Nobody" setting would prevent anyone from viewing their phone numbers, regardless if they were on their contact list or not.
But Telegram said that's not how that particular setting works, or has ever worked.
"There is no bug: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts. This means that you must be able to see your contacts who are also using the app," the company said.
"The phone number settings control phone number visibility for users who _don't_ have your number (as opposed to WhatsApp showing your phone number to everyone else in any group)."
So, Telegram is basically saying that once your phone number gets added to someone's contacts list, they'll be able to see it, regardless of the setting.
And Telegram has been warning users that the "Nobody" setting doesn't actually work as they think it does. Bug or not, this misunderstanding of the phone number privacy control setting has sent many Hong Kong protesters in a panic. While Telegram might dispute this as "a bug," users might disagree.
Updated at 12:25pm ET, shortly after publication to include second comment from Telegram contesting this issue as a bug. Title updated accordingly.