Telegram has fought back against researcher claims that Iranian cyberattackers have managed to compromise at least a dozen accounts on the secure messaging service and identified the phone numbers of 15 million users.
This week, the Reuters news agency reported that the attack was the “largest known breach of the encrypted communications system.”
According to the publication, the cyberattack took place this year by hackers part of a group called “Rocket Kitten,” but the breach was kept under wraps.
Telegram is used by 100 million people worldwide. According to cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, roughly 20 million people in Iran alone use the service. Telegram offers end-to-end encryption, which ensures the keys lie only with the user — and the company itself cannot access message data.
The researchers said that a vulnerability found within how the company uses SMS text messages to sign up new devices to the service. Anderson and Guarnieri claim that when a user logs into Telegram from a new smartphone, authorization codes are sent via SMS which in turn can be intercepted by the phone company and shared with cyberattackers.
This is particularly a problem when communications providers are heavily monitored or owned by states which want to keep track of their citizens. This year in Iran, for example, the country’s government demanded that foreign messaging service providers must store Iranian citizen data within the country — where law enforcement has easy access.
Once compromised SMS codes have been acquired, the cyberattacker can add new devices to the Telegram account, they can read chat histories and also intercept new messages.
In response to the researchers’ allegations, Telegram said that “certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts,” however, the Iranian accounts “were not accessed.” In addition, the only information that was released through the mass-checks for Iranian numbers was public domain.
Telegram added that such mass checks are no longer possible since the recent introduction of some limitations into the firm’s API this year.
“However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system,” Telegram says. “This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).”
The company also commented:
“As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it.”
To prevent account compromise through SMS messages which may be snooped on, Telegram recommends that users set up an additional code through a registered email account when setting up a new device.
In 2015, Telegram and a number of other messaging platforms were blocked over various lengths of time after refusing to help the government spy on its citizens. While Telegram is back online in the country, Facebook and Twitter remain banned.