42 Million Data Records from Third-Party Telegram Apps Were Left Open Online
6 Apr 2020
Last week Comparitech and a decorated security researcher Bob Diachenko came out with some big news, giving Iranian people a good reason to get worried.
42 million sensitive data records from the Telegram’s “forks”, modified versions of the original app, were found exposed online. No authentication factors were required to access the data uploaded by a “Hunting System” group on an Elasticsearch cluster.
Allegedly, the apps in question are Talagram and Hotgram produced by Iranian company Rahkar Sarzamin Hooshmand, also known as Smart Land Strategy.
The data has been removed by the hosting provider since the announcement, but both privacy and security implications of this incident are severe and can not be ignored.
Sensitive User Data Was Exposed for 11 Days
Before security researchers could inform the hosting providers about this issue, data could be accessed by other third parties, with at least one entity posting it on hacking forums.
BinaryEdge search engine indexed the database on March 15th, which would be Sunday. Bob Diachenko found the data on Saturday, March 21.
The investigation started right away and an abuse report was sent on March 24th.
Aside from account IDs, phone numbers and usernames, the database contained hashes and secret keys. While this sounds extremely bad, a Telegram spokesperson clarified that hashes and secret keys can only work “from inside the account”, and can not give malicious parties access.
But the main problem surrounding this security howler does not concern the keys. There’s much more to it if we scratch beneath the surface.
SIM Swap Attacks Pose a Significant Security Risk
Exposed numbers will let the authorities know who in Iran uses off-the-shelf Telegram versions, or let malicious users carry out SIM swap attacks, convincing phone carriers to move their phone number to a new SIM card.
If attackers succeed in the swap, they can send and receive SMS messages and phone calls of their victims, or get verification codes that would give them free access to the victim's personal messages, which could contain even more confidential information.
SIM swap attacks effectively make two-factor authentication obsolete.
To find detailed stories and examples of SIM swap attacks, consider revising an archive of articles written on this topic by Brian Krebs.
SIM swap attacks are not the only concern surrounding this situation, as we have to wonder how trustworthy the counterfeit apps are, and question who exactly stands behind them in the first place.
Telegram Ban in Iran and Its Impact on People’s Privacy
The most popular messenger in the country got banned multiple times throughout 2017 and was prohibited in 2018.
Judicial authorities ordered the ISPs to block Telegram for good, and so users started looking for alternatives that would enable secure communication and protect them from the oppression of their own government.
Instead of using WhatsApp or a domestic Soroush messenger for obvious privacy concerns, Iranians opted to use the aforementioned Talagram and Hotgram - unofficial versions of the Telegram app run by third parties. They have no affiliation to the original, and as we can see now, fairly negligent security controls and practices, if not an intended malicious element.
Quite recently Twitter user @fs0c131y started an investigation around one COVID-19 testing app pushed out by the Iranian government. When extracting the URLs contained in the APK, a domain covid19.tfone.ir was discovered.
After a WHOIS lookup, it became apparent that it has been registered by Mostafa Anoosheh, an employee of... Rahkar Sarzamin Hooshmand.
This detail reinforces the suggestion that these fork projects were developed on behalf of the Iranian intelligence agencies.
What Can We Learn From This Situation?
Governments around the world have been very active during the pandemic, casting surveillance over citizens, as covered in StealthTalk’s latest blog post “Is Governmental Surveillance for COVID-19 Containment a Step Too Far?”, focused on the tactics implemented by the authorities.
The crisis is indeed the best time to low-key infringe the privacy of billions without consequences.
Fork apps are especially dangerous because companies standing behind them are often backed by governmental bodies. They can be used as “honeypots” of sorts, so people would give away their sensitive information under the impression they are securing their private space. Such apps could be effective lures, designed to de-anonymize its users.
What we can learn from this particular situation is simple.
People need to stay away from third-party projects mimicking popular secure messengers, as people behind them could have ties to the government. It is better to look for the less popular alternatives providing you with end-to-end encryption than to settle down on a knock-off monitored by the higher-ups.
As history shows, Telegram itself was once exploited in a way to deanonymize Hong Kong protesters, so looking for a less popular alternative is a good option to avoid experiencing mass attacks.
While StealthTalk won’t be sufficient for users striving for anonymity, it would protect you from SIM swapping attacks described above, due to its device binding mechanism.
Get StealthTalk for iOS: https://apps.apple.com/app/stealthtalk/id1475892684
Get StealthTalk for Android: https://play.google.com/store/apps/details?id=com.app.stealthtalk