[hmnom]

It could be argued you already had the phone number of your victim.

If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.

[marcinzm]

>If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.

If you're a state actor probably pretty easy. Get a couple thousand rooted remote controllable android devices (which you probably already have for other projects) and have them automatically add 10k phones numbers each. Then have them join public telegraph lists and check for matches. Now you have gone through 10 million phone numbers. Run it in a loop 10 times and you have 100 million. Might take a few days to setup and run.

I don't see why this is infeasible in any way to do if you have a moderate budget (ie: state actor).

edit: And if your target is in your jurisdiction then you probably have a good mapping of names to phone numbers already.

[nyxxie]

All this to get an app to make "do any of my contacts also use signal" requests? You could probably just figure out what endpoint the mobile client calls and imitate them yourself to avoid all the overhead of setting up the mobile devices. If you have to register to make the request, just provision a bunch of VOIP numbers and go to town.

Point being, if "who is using signal" is a question you want answered, it's far more trivial than having to acquire actual devices. Your oppressive regime could go from zero to black bag list in an afternoon.

[aasasd]

I don't think you need a single device. Just bots with virtual numbers.

[fcbrooklyn]

The impact is specifically related to Hong Kong, where the protesters are using telegram to coordinate, and where, according to the bug report, the telephone number range is limited.

[aasasd]

There's apparently at least one private company that gathered a database of account-to-number correlations precisely by adding over ten million numbers to Telegram's address books. Here's an article in Russian where one account is deanonymised: https://meduza.io/feature/2019/08/10/kto-takoy-tovarisch-may...

Dunno if this is patched by Telegram in any way now. However, I don't see why it would be difficult for a program to add numbers to the contact list incrementally. To my knowledge, computers so far were pretty good at incrementing numbers. And if the contact list length is limited, the question is just how many phone numbers a company can buy.

[MikusR]

The way cellphone telephones work, is by registering to a cell. so all they have to do is look what phones were in vicinity of cell towers in place where they protest.

[dchest]

It could be argued you already had the phone number of your victim.

But you have no correlation between it and Telegram user. This bug is about this correlation.

[tialaramex]

Right, the key trick here is that Telegram is easily used as an Oracle.

Telegram has essentially agreed to tell you whether any phone number is correct, so you can just guess all the phone numbers. Never allow this unless the thing an adversary has to guess is both _completely random_ and from a _very large keyspace_ (128-bits is where you can start to feel safe). If you find you're cornered into doing this (e.g. typical email + password login) aggressively rate limit it, so the adversary has to work harder/ longer to take advantage and maybe they'll give up.

Phone numbers are neither random nor from a large key space, it's maybe 10^12 worldwide or something? Much too small.

[emrhzc]

they say that they managed to add 0.1 million people at once. If you're after a group of people and getting only one of them is enough, the limits look pretty feasible to me, even more possible especially in small communities.