| Quoted from article [1] on how someone 'hacked' some Brazil politicians: "A hacker with little technical skill and no specialized equipment could, it turned out, do quite a bit of damage with access to someone's voicemail. Delgatti, for instance, figured out he could use this VoIP spoofing technique to target Telegram accounts. At the time, when a Telegram user wanted to attach their account to a new device, they had the option of requesting a verification code via an automated voice call from Telegram. Delgatti realized that he could spoof a victim's phone to request that code. Then, if Telegram's automated voice call didn't get through—because Delgatti initiated the hack late at night while his victim slept, or kept the line busy by calling his victim at the same time—the code would be sent to the person's voicemail. He could then spoof the target's phone once again to gain access to their voicemail, retrieve the verification code, and then add the victim's Telegram to his own device. After that, he could download their entire chat history from the cloud." [1] https://www.wired.com/story/brazil-hacker-bolsonaro-car-wash... I think the least everyone who wanna continue using telegram must do is enable 'two-step verification' in Telegram settings. Or use Signal. Or Wire if you don't wanna expose phone number. But Wire stores metadata. Edit: Yeah WA is e2e by default. But if you or your friend has enabled backing up chats to Google account, everything will be backed up in plain/weak encryption. Also at least in android, WhatsApp automatically stores all received/sent pics, videos etc in a folder named WhatsApp which is available to any app with storage permission. |
Note that this is true even for unread messages, including messages in group chats.