A Russian Telegram user has reported receiving strange notifications from Telegram chats she was never a member of. The unsolicited messenger notifications have, among other things, allowed the user to follow the internal chat of the social media team of the Russian independent channel TV Rain. How and why did this happen? And what does it say about Telegram's supposedly secure systems for communication?
TJournal reports that Telegram user Anna Gorbacheva bought a used iPhone from an acquaintance in November 2015. While they did not do a factory reset, the previous owner logged out of all her social media accounts and the iCloud. At first, the new phone worked perfectly.
But a month later, the strange notifications began to appear on her screen:
Concerned that she was unintentionally eavesdropping on other peoples’ private conversations, she wrote to Telegram. She told TJournal:
В январе на заблокированном экране всплыло сообщение из какой-то беседы, в которой я не состою. Я удивилась и открыла Telegram. Чат не отображался, хотя уведомления продолжали поступать. Написала в поддержку, приложив скриншоты.
In January, I saw a message on my lockscreen from a conversation I was never a part of. I was surprised and opened my Telegram. The chat wouldn't show up, even though the notifications of new messages kept coming. So I wrote to support, and sent some screenshots.
Telegram's support did not reply, so Anna simply deleted Telegram altogether. But recently, she needed the messenger for her work at an advertising agency, so she set it up again. And the notifications returned.
As previously, Anna could see the notifications for messages, but could not access the chats themselves. Her attempts to send her own messages to the chats failed. And there were no signs that other chat participants had any idea an outsider was watching their conversations. At TJournal's request, Anna even recorded a video with proof of the unsolicited notifications.
The most recent notifications came from a Telegram chat called “SMM” (short for “social media management”), and having spotted a few names (such as Ilya Klishyn, Aleksey Abanin, and Daniil Zubov), Anna soon realized she was now privy to the internal social media discussion of the TV Rain editorial team. She also noticed that the links to stories discussed in the chat would quickly appear on the TV Rain's Twitter, Facebook, and VKontakte pages.
When contacted by TJournal, Telegram's founder Pavel Durov acknowledged the issue was a software bug, but speculated that Anna must have gotten her phone from a friend who previously worked for TV Rain and had access to the chat. Anna denies her friend has ever had any connection to TV Rain.
She told TJournal that since buying the phone, she never gave anyone else access to it and that her Telegram account was the only one that ever logged in on the device.
Can users trust Telegram?
Telegram boasts secure communications, however security experts have questioned the robustness of its cryptography. Apart from “rolling its own crypto” instead of relying on existing encryption solutions, there is the matter of device dependence. By default, Telegram uses text-based authorization, which allows users to connect new devices to Telegram accounts simply by entering a verification code received via text message on a smartphone. Two-step verification can be enabled, but is not required.
But these known elements of Telegram's systems do not fully explain why Gorbacheva, whose device had seemingly never belonged to anyone associated with TV Rain, suddenly began receiving notifications of their private messages. Gorbacheva's experience suggests that Telegram's security flaws may be worse than critics previously thought.
Anna is at a loss as to how or why she is able to see the messages from a chat to which she does not actually have access. Repeated entreaties for help finally got Anna a response from the Telegram support service. They told her to exit out of all active sessions of the messenger. But that did not help, and Anna continues to receive strange notifications in her Telegram app.
When TJournal investigated the matter further, it turned out that changing accounts and logging in after another user had logged out was a common Telegram bug: Several different users reported gaining access to contacts and messages from those whose accounts were previously active on their devices, after those users had logged out. Short of deleting their newly set up accounts from the devices and from Telegram wholesale and losing all user data, there was no ways to resolve the privacy issue.
Founder Pavel Durov says Telegram is now deleting the cache of old user data when faced with this issue, but users who met with the problem before the bug became official, are on their own. Anna is still receiving notifications about the social media routine of TV Rain, despite having logged out of all active sessions of Telegram. Telegram said her best option would have been to do ao factory reset on the phone after the previous owner had logged out of her account.
So what do you do if your Telegram suddenly starts spewing unsolicited notifications or showing strange contacts? Durov says the only sure-fire solution is to deactivate your Telegram account by opening this link directly in the messenger, which will make all your chat logs and files disappear.
Telegram said the messenger “is not meant to be used on other people's devices,” hence the contact list merging reported by some users. One user was advised by the messenger's support service to “only use your own account on your own devices,” basically acknowledging the messenger's dependence on hardware. But the messages from strange chatrooms that Anna has reported remain a mystery. And Telegram's reputation as a secure messaging app hangs in the balance.