[arkadiyt]

> One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.

It wasn't a design flaw, it was an insecure-direct-object-reference implementation flaw. IDORs are extremely common, but since the group id is an unguessable 128 bits, the bug can only be used by someone who was already in the group previously to rejoin the group. I'm sure it'll get patched shortly, if it hasn't been already.

For the WhatsApp case, a malicious WhatsApp server could add someone to your group, but everyone in the group would see it.

These bugs are not big deals. The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.

[WildGreenLeave]

> The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.

I can understand why you give SMS as an example, because it is just plaintext. But why Telegram? As far as I know Telegram is probably better secured over a service like Whatsapp.

Edit: the latter is an assumption from me, I do not have any claims to back this up. Thats why I'm asking.

[arkadiyt]

Telegram group messages are not end-to-end encrypted at all, the Telegram service has access to all message content.

Wish you weren't getting downvoted for asking this - asking is how people learn.

[whyever]

Your assumption is wrong. I fear that articles like this are partially responsible for that.

[brute]

People are in jail because they felt secure using Telegram. It's the kind of people who should be in jail, but nonetheless it is beyond me how anyone could still use it.

[baby]

> These bugs are not big deals

Entirely agree here, these are UI/UX bugs sure, but attacks? Come on...