Comment by gruez
18 hours ago
For people who only read the headline, it's not as bad as the title might suggest. This attack requires backdooring the client, by which point it's already effectively game over in most threat models. The main advantage of this attack is that a compromised client can be sending "encrypted" messages that can actually be trivially decrypted by authorities, but that isn't immediately obvious to someone inspecting network traffic. Needless to say, this is a pretty pointless attack because nobody is manually inspecting every piece of data that their telegram is sending, and the client probably makes so many requests that it's trivial to smuggle data through some other side channel.
The threat model of the attack is targets relying on binary/source transparency of open source clients to protect against (state-sponsored) client backdoors; in that sense, it most closely resembles the Juniper/NetScreen Dual-EC attack, which functioned basically the same way: a backdoor that was essentially not auditable, as the underlying vulnerability was realized cryptographically.
I'm just clarifying. I agree the practical implications of the attack are not really meaningful to a general audience.