Update: Soon after we published this article, Telegram sent us a statement claiming that the protocol used by the chat app, MTProto, doesn't lack scrutiny. It is said to be documented and available for anyone to view. Additionally, Telegram says that source code of its app is available for everyone and there's also a bug bounty program by the company that encourages one to find vulnerabilities in the app and bag a reward anywhere between $500 to $100,000. We tried accessing the MTProto documentation and Telegram's source code via the provided links, however, it seems both the websites aren't working as of updating this article. The research paper that highlights below-mentioned flaw also mentions metadata retrieval by an attacker and Telegram says this metadata is the "last seen" time and online status, which a user has control over.
Original story:
WhatsApp-NSO group spyware recently affected an estimated total of 1,400 users globally, including many users in India. While some users may have drifted towards other chat applications for security reasons, a recent report claims that chat apps like Telegram and Signal aren’t safe either.
While leading chat apps offer a certain amount of encryption, it must be noted that this encryption has its flaws as well. Once hackers get to know any vulnerability or bug in the app security ecosystem, a user’s personal data is at their mercy. Unlike WhatsApp and Apple iMessage, Telegram doesn’t offer end-to-end encrypted chats. However, it offers the added layer of security through a manually activated 'Secret chat' option.
A recent research paper from MIT highlights several flaws in Telegram’s security features noting that it employs its own messaging protocol, called "MTProto", which lacks scrutiny from outside cryptographers. Further, the paper has claimed that Telegram follows the old cloud-based approach for data storage, which means, if hackers are able to gain control of Telegram’s server system, they will have access to unencrypted messages as well as all the metadata.
WhatsApp, when hit by the Pegasus cyberattack, quickly fixed the issue and sent out notices to the government and its users that they were in danger. The company also started legal proceedings simply because of the kind of resources it has. Unlike WhatsApp, companies like Telegram and Signal do not have the resources and strength to fight off these kinds of attacks.