A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!
⠀
PSA on anyone who used this. Terminate your session via active sessions on another telegram app after you "log out"
This app ALSO doesn't properly invalidate your session token like most apps do, so even though it "logs out" on the UI, the auth token to the telegram stays active.
While there hasen't been any evidence that it transmits auth tokens, since it was confirmed AND admitted that they logged phone numbers, it's better to be safe than sorry.
Being honest, I would be surprised if there wasn't malware there. The whole Telegram platform is kind of a nesting ground for it.
Hasn't Telegram being Russian spyware been known for years now?
So, assuming good faith, they used two Telegram bots for some service functionality
these two bots are used to resolve username from user id, eg
tg://user?id=25
Obviously, that should never happen silently. But these findings don't necessarily mean data has been compromised [beyond the scope of the app itself].
I get they may be very frustrated and annoyed at the negative blowback after their FOSS efforts, but dismissing concerns isn't a good way to respond.
Well shoot. That was a good messenger too.
Edit: Looking into it. It looks like the dev even admitted to it as well. So that's surprising.
Link may require telegram
Would an F-Droid release have found this issue?
No but it would have avoided it since its compiled from source.
Yeah... one of the criticisms levied at F-Droid is that you need to trust them over the app developers but as we can see in cases like this, I think that's a feature, not a bug.
It's one reason I'll never use something like Obtainium for instance.