This is why we install from FDroid.
I use Forkgram but it acts a little weird sometimes. First it shouts empty notifications randomly, usually 2 back to back. When I open Firefox somehow Forkgram opens a notification too. It doesn’t happen every time but still it’s weird. Anyone with similar behaviors on that app?
PSA on anyone who used this. Terminate your session via active sessions on another telegram app after you “log out”
This app ALSO doesn’t properly invalidate your session token like most apps do, so even though it “logs out” on the UI, the auth token to the telegram stays active.
While there hasen’t been any evidence that it transmits auth tokens, since it was confirmed AND admitted that they logged phone numbers, it’s better to be safe than sorry.
Would an F-Droid release have found this issue?
No but it would have avoided it since its compiled from source.
Yeah… one of the criticisms levied at F-Droid is that you need to trust them over the app developers but as we can see in cases like this, I think that’s a feature, not a bug.
It’s one reason I’ll never use something like Obtainium for instance.
Being honest, I would be surprised if there wasn’t malware there. The whole Telegram platform is kind of a nesting ground for it.
Well shoot. That was a good messenger too.
Edit: Looking into it. It looks like the dev even admitted to it as well. So that’s surprising.
Link may require telegram
So, assuming good faith, they used two Telegram bots for some service functionality
these two bots are used to resolve username from user id, eg
tg://user?id=25Obviously, that should never happen silently. But these findings don’t necessarily mean data has been compromised [beyond the scope of the app itself].
I get they may be very frustrated and annoyed at the negative blowback after their FOSS efforts, but dismissing concerns isn’t a good way to respond.
Hasn’t Telegram being Russian spyware been known for years now?
Why the fuck do people who know what a “github” is, much less how to post issues use Telegram?
