BREAKING: Nekogram is secretly transmitting your telegram account phone number to the developer

According to SOTA,
"The backdoor is hidden in the http://Extra.java file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to the @nekonotificationbot, leaving no trace. The same file implements account 'doxing' via several bots; it is possible that the leaked data is used to populate their databases."

Additionally, the creator of the Nekogram client, (presumably a Chinese national) was previously known for conducting DDoS attacks and unethical online behavior (including death threats against acquaintances).

Apparently, in the early versions of the client, de-anonymization was applied only to Chinese phone numbers, which could have been used for political surveillance;. However, it is now applied to all users.

Follow @TechLeaksZone

Nekogram appears to be using the TgDB Search Bot in an automated manner (without our knowledge; this is not a partnership), likely to search for usernames.

However, this is unrelated to their obfuscated scraping of phone numbers; we do not receive any data from Nekogram and are in no way affiliated with them.

用 Nekogram 的有福了
https://thebadinteger.github.io/nekogram-phone-exfiltration/

The telegram scene for the next week is gonna be like "yeah so our slopgram doesn't steal data like goygram, we are a secure fork of ligmagram and have been vetted 69 times by the devs of cringegram which is our biggest competitor, and one of them is also in the navy"

为验证这一点，我们制作了一个PoC：一个LSPosed模块，将机器人ID和用户名替换为我们自己的信息，这样所有请求都会发送到我们的服务器上。通过这种方式，我们确认电话号码确实在被收集。每次登录都会如此。

该PoC可在此处获取: https://github.com/RomashkaTea/nekogram-proof-of-logging

https://t.me/mysticleaks/157

1. Cherrygram 开发者声称此段代码未被调用且编译后被移除
https://t.me/cherrygram/1134

2. Cherrygram 付费版被扒出存在此数据收集代码
https://t.me/MlgmXyysd_bibilailai/3105

3. Cherrygram 公开版未检出此代码
https://t.me/MlgmXyysd_bibilailai/3107

If your question is, “Is it true?”, the answer is yes, numbers were sent to the bot.

Some people are asking for an “explanation,” but what kind of explanation do you need? It is exactly what it looks like; it is what it is. 🤷‍♂️

For those interested, here is the source code of Extra.java.

Fact: not a single number has been stored anywhere or shared with anyone, though people may find that hard to believe.

前情提要 https://t.me/monogram_android/74

日前杜叔叔似乎在 Telegram Desktop 上移除了发送大图的选项。看起来是官方客户端 6.7.0 移除的，未更新的 6.6.x 客户端仍可正常发送较高分辨率的图片。

目前看起来这似乎只是客户端限制，但并不知道单纯靠不更新还能苟多久。不论如何，如果在意的话建议暂时关闭自动更新。

我现在没电脑但是看 https://github.com/telegramdesktop/tdesktop/commit/87ebd2720f0f0664b27f8ccebb874f71b8425432 似乎是改成了发送图片的时候可以选择？

Telegram 官方客户端已经正式支持中文界面，直接在客户端里切换，无需额外添加语言包。