Telegram is becoming more and more a synonym for “secure chat” and “chat with privacy” in certain circles. But even very simple tests, which everyone can carry out themselves, show that using the messenger service is almost completely naked.

Jürgen Schmidt – aka ju – is the managing editor of heise Security and Senior Fellow Security at heise. A graduate physicist by profession, he has been working for Heise for over 15 years and is also interested in the areas Networks, Linux and Open Source.

The first simple test is: Give a message with a link like ” https://www.heisec.de “, but does not send it yet! You will then see that your smartphone is already showing some information about heise Security:

Already at Typing provides Telegram information about the typed link.

WhatsApp, for example, does that too. The app on the mobile phone fetches the information from the URL in the background and shows it to you. Not so with Telegram: There the app delivers everything you type to the Telegram server – even before you send it. And this server then visits the URL and delivers it to the Telegram app on the mobile phone with the “Portal for IT Security”.

I did this test with a Honey URL. In other words, a URL that was only created for this purpose and has never been used anywhere before. Access from the TelegramBot appeared in the log files of my Honey URL server immediately after I typed this URL into the Telegram app. It had the IP address 149. 154. 161. 10, which belongs to a Telegram server in England. Mind you, that happened before I sent the link!

The telegram -Server visited my “secret” web page before I had sent the message with the URL.

During the cross-check with WhatsApp, the honey server also registered an access. But as expected, it was done from my own IP address. The app on my smartphone in the WLAN had retrieved the data, no external server.

The complete chat archive Now for the second test. Opens on the PC in a private Browser window the web page of the Telegram chat: https://web.telegram.org/. There you have to register with your cell phone number. Then Telegram will send you a login code in the form of a six-digit number. Before you type it into your browser, you switch the mobile phone to flight mode so that it can no longer send any data. If you then enter the code in the browser, a web page opens with all your chats.

Very convenient : You can also use Telegram in your browser.

What do you think where this data comes from? Not from your cell phone. Because that is in flight mode without a network. And before you have identified yourself with the code, the browser must never have received your data. There is only one possibility left: the content of the chats comes from the web server that your browser is talking to. For me it was a server in a data center in Amsterdam (99. 154. 161. 99).

So this server has access to a complete copy of all my chats. It even contains the previously typed but not yet sent message with the heise Security URL as a “draft”. And of course, Telegram not only stores my chats – but those of all Telegram users.

Everything that users write is stored centrally at Telegram and delivered when required. To you, if you identify yourself with the correct code. But certainly also to an officer who can show a search warrant. Or to a bribed employee or to hackers who gain access to the servers. And if Telegram decides one day that they want to use this data to make you “exciting offers” – that is, targeted advertising – there is nothing, at least from a technical point of view, that could prevent them from doing so. Privacy? Is not!

Theoretically, Telegram has so-called “secret chats” that are protected from being read by third parties. But they are so well hidden that most Telegram users don’t even know them, let alone use them. In addition, these secret chats come with a number of restrictions. So they cannot be used for groups and only ever used on one device. Almost all Telegram chats therefore run via the normal channels that can be read by Telegram.