Key Information Title: Telegram App Store Secret-Chat Messages in Plain-Text Database Author: Jon Paterson Date: Feb 23, 2015 Main Content: - Encryption Controversy: The article references criticism from the CryptoFail blog regarding Telegram’s encryption protocol. - Telegram’s Statement: Telegram announced a “Crypto contest,” offering a $200,000 Bitcoin reward for anyone who could recover an email address encrypted with its app. - Testing Method: - Testing was conducted on Android 4.4.2. - Through simulating an active attack, the author discovered that secret chat messages were stored unencrypted in the database. - Security Vulnerability: - Storage Vulnerability: Telegram’s secret chat messages are stored in plain text in the database. - Message Deletion Function: Even after users delete messages, they can still be recovered from the cached database. - Disclosure Timeline: 1. 17/1/2015 – Vulnerability discovered. 2. 18/1/2015 – Vulnerability disclosed to Telegram’s security team. 3. 23/1/2015 – Requested vendor comment – no response received. 4. 3/2/2015 – Requested vendor comment again – no response received. 5. 6/2/2015 – Requested vendor comment again – no response received. 6. 23/2/2015 – Public disclosure of the vulnerability. - Recommended Actions: Emphasizes the importance of device-level active protection; recommends using alternative encryption software or enhancing device-side security measures. Summary This article exposes a serious vulnerability in Telegram’s end-to-end encryption, revealing that secret chat messages are stored in plain text in the database. After receiving no response from Telegram, the vulnerability was publicly disclosed, urging users to remain vigilant and take appropriate security measures to protect their personal privacy.