CVE-2019-15514
Description
The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram app 5.10 for Android/iOS fails to hide phone numbers set to 'Nobody' when attackers add users via contacts in public groups.
Vulnerability
The privacy setting "Phone Number > Nobody" in Telegram 5.10 for Android and iOS does not prevent phone number disclosure through the Group Info feature [1]. When an attacker adds a large number of phone numbers (e.g., sequential numbers) to their device contacts and syncs with Telegram, then joins a public group, the phone numbers of group members become visible in the group info, even if those members have set their privacy to "Nobody" [1]. This affects all users in public groups on these platforms.
Exploitation
An attacker needs a list of phone numbers (which can be generated sequentially, especially in regions with limited number ranges) and the ability to add them to their device's address book [1]. The attacker then syncs contacts with Telegram, joins a public group of interest, and views the group info to see the phone numbers of members [1]. No user interaction from the victim is required beyond being a member of the public group.
Impact
An attacker can uncover the phone numbers of any user in a public Telegram group, bypassing the user's explicit privacy setting [1]. This leads to identity exposure and can enable real-world targeting, as highlighted in the context of Hong Kong protesters where phone numbers are tied to personal identities [1].
Mitigation
No official fix has been confirmed in the available references [1]. Users concerned about privacy should avoid joining public groups or disable the sync of contacts with Telegram until a patch is released. Telegram has not yet responded to the disclosure as of the publication date [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegram appdescription
- Range: = 5.10
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Telegram's Group Info feature exposes phone numbers from synced contacts even when the user has set phone number privacy to "Nobody.""
Attack vector
An attacker (Mallory) adds a large number of sequential phone numbers to her device's address book and syncs them with Telegram. She then joins a public group that the victim (Alice) is a member of. Even though Alice has set her phone number privacy to "Nobody," Mallory can see Alice's phone number in the Group Info screen because Telegram's contact sync overrides the privacy setting when the attacker's address book contains the victim's number [ref_id=1]. The attack requires only that the attacker can enumerate phone numbers (e.g., within a limited numbering space like Hong Kong) and join the same public group as the victim.
Affected code
The vulnerability is in the Telegram app (version 5.10 for Android and iOS) and involves the Group Info feature. When a user sets Privacy > Phone Number > Nobody, the app incorrectly still exposes the phone number through the Group Info screen for public groups [ref_id=1]. The specific code path is not identified in the advisory, but the bug lies in how the server resolves contact sync data against group membership.
What the fix does
The advisory does not include a patch or official fix. The remediation guidance implied by the report is that Telegram should ensure the Phone Number privacy setting ("Nobody") is respected in the Group Info feature regardless of whether the attacker has the victim's number in their synced contacts [ref_id=1]. No fix is published in the provided bundle.
Preconditions
- configAttacker must have a device running Telegram 5.10 on Android or iOS
- inputAttacker must add the victim's phone number (or a range covering it) to their device address book and sync contacts with Telegram
- networkAttacker must join a public Telegram group that the victim is also a member of
- configVictim must have set Privacy > Phone Number > Nobody
Reproduction
1. On Telegram 5.10 (Android or iOS), set Privacy > Phone Number > Nobody. 2. Join a public group. 3. On a second device, add a large set of sequential phone numbers (including the victim's number) to the address book and sync contacts with Telegram. 4. Join the same public group. 5. Open the Group Info screen — the victim's phone number is visible despite the privacy setting [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.