• General
  • WhatsApp backdoor mitigation

Durov is just spreading panic and misinformation as usual in the linked posted. They are not a reliable source of information, at all. 0days happen in software all the time, Telegram is no exception.

If an adversary were to compromise an app only (e.g. arbitrary code execution within the application sandbox) then they can access everything the app could. If they then chained exploits together taking advantage of multiple vulnerabilities (For example a kernel bug allowing for escalation of privileges and thus gaining code execution/information outside of the application sandbox) then they could potentially view content which the application sandbox would not permit going all the way up to any content on the device. It's not really a question which can get a boolean response, rather it depends on the circumstances and the goals of the adversary, as well as what vulnerabilities they are leveraging.

    Doesn't telegram require opt-in for encryption?

    Nice write-up, flawedworld !

    Agreed that "..It doesn't matter if you are the richest person on earth if you have WhatsApp installed on your phone, all your data from every app on your device is accessible, as Jeff Bezos found out in 2020. ...." is over the top - especially when GOS considered. But some of his other observations and suggestions seem pretty good.

    Of course a kernel bug that you hypothesized might be readily exploitable in AOSP but not at all exploitable in GOS - though I'd still not have anything to do with WhatsApp as exploits improve over time.