Telegram does not provide end-to-end encryption of group chats, and it is disabled by default for two person chats. Anyone with admin access to a Telegram server can read all of your messages.
Telegram uses a proprietary messaging protocol that was not created by cryptographers. Parts of the protocol rely on SHA-1, which can nowadays be defeated relatively easily and cheaply: eprint.iacr.org/2019/459.pdf
There have also been an embarrassing series of man-in-the-middle attacks, e.g., incibe.es/extfrontinteco…
Even with all of its optional security features enabled, Telegram leaks user availability information. This can be used to guess who is talking to whom. courses.csail.mit.edu/6.857/2017/pro…
The Telegram client is shipped as an obfuscated binary. Does anyone really compile it from source? No, they download it from an app store. Was that binary compiled from the open source codebase? No; the open source codebase lags behind in features.
Until recently, an attacker on the network could surreptitiously reorder telegram messages. If someone asks, “Are you busy? Do you want to do crime with me?” an attacker could change your reply from “Yes” / “No” to “No” / “Yes”.
From that same paper: An attacker-in-the-middle — particularly, but not necessarily, if they have privileged access to the Telegram servers — can compromise the confidentiality and integrity of communication between users.
Here’s a less technical thread on the issues with Telegram:
Until very recently, Telegram allowed anyone to retrieve meter-accurate location data for arbitrary users. Telegram knew about this issue for at least a year but chose not to do anything about it. It wasn’t until recent public outcry over Ukrainian users that they addressed it.
Fifteen years ago, a handful of my grad school labmates and I found ourselves at the brand new Googleplex. Dear reader, I think it’s finally safe for me to tell the story of that one time I trespassed into Google headquarters and took a bunch of pictures. This'll be a thread!
First of all, for posterity—and to further tempt the criminal justice system while flaunting the California statute of limitations—this is all also available in high resolution on my website: sultanik.com/blog/GoogleInt…
T’was 8pm on a Wednesday. I don’t think Google had finished moving to the new campus yet, so it was relatively quiet. We wanted to go inside, but the lobby was locked and there was no one at the front desk. So we did what any reasonable group of bored grad students would've done: