8

Recently I signed on Telegram using my TextNow number.

When I signed in, I was assigned the profile of an existing user! I have access to the profile of this user, including the contact list of the user, subscribed channels, and session history with geographical information.

Apparently TextNow reassigns unused numbers to other users, which is quite understandable as there is a limited amount of them. However I am very surprised that a supposedly privacy oriented service allows me to unintentionally access other users' profile and, even worse, to have access to the phone numbers of in the contact list this user.

I could set an additional password and become the sole owner. On the other hand, if I change the username, I will still be on the contact list of unknown people and Telegram will notify my new username to them.

It is a fact that, when you get a new phone number, you are not necessarily the first owner. Using an old owned number reduces this possibility, but Telegram would advertise your presence to old coworkers or occasional friends, who are not in your circle any more and you don't want to be.

Is there a sane way to use Telegram without giving up to your privacy and security? (I don't think that Skype has these issues). This accident and the resulting attitude of Telegram toward (two factor) authentication worried me. Considering that one can lost the ownership of a phone number (for a number of reasons), is it sufficient to add a second level of authentication to stay safe?

jrtapsell
  • 3,169
  • 15
  • 30
antonio
  • 845
  • 2
  • 8
  • 15

1 Answers1

3

You can set a password as a second factor; this way, no one else will get an access to your account even if they will somehow obtain your phone number.

What you really see here is good old security/usability tradeoff. Most Telegram users probably never cared that much about the security of their account, and neither did previous owner of your number. Forcing them all to remember passwords would have undermined the growth of a messenger's user base.

At that point, Telegram decided to let the users choose themselves. In future, this may, but seems to be unlikely to, change. Whether a decision making of that sort is appropriate for you is completely up to you to decide.

What I can still suggest is to evaluate your own risks and threats in order to find out if you're fine with a platform that wouldn't enforce the most secure option as a default, or not. Here's an article on how to apply a context-centered approach to messaging platforms, it might help somewhat to understand the challenges of picking a messenger which fits your threat model best.

ximaera
  • 3,395
  • 8
  • 23