<p>A few days ago we launched a <ahref="http://telegram.org/crypto_contest"><strong>contest</strong></a> to improve Telegram's security and are delighted to already have the first results. A <ahref="http://habrahabr.ru">Russian IT-community</a> user identified a potentially vulnerable spot in our secret chat implementation. While this would not help him decipher the traffic and win <ahref="http://telegram.org/crypto_contest">the contest</a>, his achievement deserves a notice — and a big prize.</p>
<blockquote>
<p>The habrahabr user <ahref="http://habrahabr.ru/users/x7mz/">x7mz</a> had discovered that in case the Telegram server could be seized by a malicious third party, it could send different nonce numbers to each of the clients participating in a secret chat.</p>
<p>These nonce numbers were introduced to add more randomness to the secret chat keys, mostly because of possible undiscovered vulnerabilities of the random generators on mobile devices (for example, one such vulnerability was found this August in <ahref="http://android-developers.blogspot.ru/2013/08/some-securerandom-thoughts.html">android phones</a>).</p>
<p>As was pointed out, this solution would have also made it possible for the visual representations of the shared secret key to be identical in case of a man-in-the-middle attack — provided such attack was done by the seized server. Obviously, the server has been under Telegram's control all this time, so this theoretical threat never had a chance to come to life.</p>
</blockquote>
<p>The developer who found the potential weakness has earned a reward of <strong>$100,000</strong>. We have contacted him to find out how he would like to collect his prize.</p>
<p>A similar reward awaits anyone who finds viable ways of compromising <ahref="https://core.telegram.org/mtproto">MTProto’s</a> security (and there is an outstanding reward of $200,000 for <ahref="http://telegram.org/crypto_contest">deciphering Telegram traffic</a>). All submissions to <strong>security@telegram.org</strong> which result in a change of code or configuration are eligible for bounties, ranging from <strong>$500</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue.</p>
<p>This story showcases the importance of keeping the <ahref="https://core.telegram.org/mtproto">protocol specification</a> and <ahref="http://telegram.org/source">source code</a> open — this way thousands of bright minds from all over the world can help us find potential vulnerabilities and improve the protocol.</p>
<p>Let’s keep on looking for any weak spots. Together we can make Telegram unbreakable.</p>
<ahref="https://t.me/share/url?url=https%3A%2F%2Ftelegram.org%2Fblog%2Fcrowdsourcing-a-more-secure-future&text=A%20guy%20from%20Russia%20just%20earned%20%24100%2C000.%20Crowdsourcing%20a%20More%20Secure%20Future"class="tl_telegram_share_btn"id="tl_telegram_share_btn"data-text="A guy from Russia just earned $100,000. Crowdsourcing a More Secure Future"data-url="https://telegram.org/blog/crowdsourcing-a-more-secure-future"><iclass="tl_telegram_share_icon"></i><spanclass="tl_telegram_share_label"target="_blank">Forward</span></a>
<ahref="https://twitter.com/share"class="tl_twitter_share_btn"id="tl_twitter_share_btn"data-text="A guy from Russia just earned $100,000. Crowdsourcing a More Secure Future"data-url="https://telegram.org/blog/crowdsourcing-a-more-secure-future"data-via="Telegram">Tweet <spanclass="tl_twitter_share_cnt"></span></a>
<h4class="dev_blog_card_title">Notification Sounds, Bot Revolution and More</h4>
<divclass="dev_blog_card_lead">Today's update adds creating your own notification tones, setting custom durations for muting chats or auto-deleting messages, as well…</div>
<h4class="dev_blog_card_title">Download Manager, New Attachment Menu, Live Streaming With Other Apps and More</h4>
<divclass="dev_blog_card_lead">Today's update brings tools to help you control your downloads, send documents with a tap, re-arrange media albums before sending, turn…</div>
<h4class="dev_blog_card_title">Video Stickers, Better Reactions and More</h4>
<divclass="dev_blog_card_lead">This update brings easy-to-make video stickers, better reactions with more compact animations and extra emoji, a button to review unseen…</div>
<h4class="dev_blog_card_title">Reactions, Spoilers, Translation and QR Codes</h4>
<divclass="dev_blog_card_lead">Telegram's 12th update of the year introduces reactions, message translation, themed QR codes, hidden text (spoilers), and more.</div>
</div>
<divclass="dev_blog_card_date">Dec 30, 2021</div>
</div></a>
</div>
</div>
</div>
</div>
</div>
<divclass="footer_wrap">
<divclass="footer_columns_wrap footer_desktop">
<divclass="footer_column footer_column_telegram">
<h5>Telegram</h5>
<divclass="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
