I follow and admire Telegram project since their first release. If you haven't already heard about Telegram, it is a messaging platform with tons of useful privacy and security features, and offered completely for free. Telegram project still misses some key features such as an open source codebase and organization level Github repository, to gain my full adoption, but I trust their guarantee for making the source code open in the future.
Yesterday I noticed an interesting behavior of Telegram, and perhaps a potential issue to concern about your privacy. During an update on my contact list, I accidentally noticed that I could retrieve the real names of random people just with mobile numbers.
TL;DR: If you ever created a Telegram account with your real name, anyone with your phone number can reveal it. Or anyone generating a random list of phone numbers can match which phone number belongs to whom. In reverse, you can find the real names of prank callers, or just random people.
Imagine some scenarios;
- You received a call from someone, but you have no idea about the identity of the caller and you want to discover his/her real name.
- You are planning to make scam/prank calls to random people, so you need their names to become more convincing during the call.
- You work for the government and you discovered some phone numbers that are being used for illegal activities, but you have no idea about the real name of the owner of that mobile number.
- You are a computer programmer and you generated a huge list of random phone numbers and you would like to match real names and mobile numbers for selling the list to hackers or spammers.
How It Works
- Go to the Telegram app, from the menu go to the 'Contracts' page.
- Go to 'Add Contract' menu.
- Save the contact.
- Go to the profile of the contact and delete it.
- That's it! The temporary name 'Who You Are', we used for saving the contact will automatically turn into the real name of contact! This information is retreived directly from Telegram servers!
This is the name this person used when creating his/her Telegram account.
FYI: I notified the Telegram support team about this issue. However, they indicated the issue as the default behavior of Telegram, which I believe a huge privacy fail.