Telegram Bots Can Undermine Overall Encryption of the Chat App, Claim Researchers

Telegram has emerged as a popular communications app for millions of users around the globe, who have security concerns and seek an encrypted chat platform. While the company's encryption protocol has long been controversial among the cryptography community, its bots have now come under fire in a recent report from a Web security firm. The security firm claims that the comparably lower security standard used for bots on the app undermines the overall security of the Telegram chats, making the supposed encrypted chats potentially susceptible to interception by malicious parties.

Telegram Bots are small apps that are mostly created by third-party developers to do a specific task and can be embedded inside chats or public channels. According to a research report by Forcepoint Security Labs, a US-based cyber-security firm, Telegram doesn't use the same encryption protocol with bots that the company uses to protects its chats. This means, adding a bot to a chat or public channel can potentially weaken the security of that particular chat and make it easier for a malicious party to intercept the chats.

“Telegram uses its in-house MTProto encryption for securing messages between regular users as it (justifiably) sees TLS as not secure enough on its own for an encrypted messaging application. Unfortunately, this does not apply in the case of programs which use the Telegram Bot API as messages sent this way are only protected by the HTTPS layer,” wrote Abel Toro, a security researcher at Forcepoint, in a blog post.

“To make matters worse, any adversary capable of gaining a few key pieces of information transmitted in every message can not only snoop on messages in transit but can recover the full messaging history of the target bot,” he added.

It is concerning that the security of a messaging service, which advertising itself as a “secure messaging application,” can allegedly be impaired by one of its own features. Forcepoint security researchers suggest that the Telegram users should totally avoid bots if they want to keep their chats private.

Telegram was originally launched back in 2015 and as per the last data released by the company, it has over 200 million active users worldwide.