If The Onion wrote about network infrastructure, I imagine they would make up stories like this real Cisco critical advisory CVE-2026-20223.

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.

The thing that turned its CVSS into a perfect 10 instead of a 9.8 was the cross-tenant reach (Scope Changed), which means a breach escapes the security boundary and reaches resources under a different authority. On a microsegmentation product, the scored vector is literally saying its segmentation boundary does not segment.

Is a fence that has no fence still a fence?

CWE-306 is how Cisco classified it: Missing Authentication for Critical Function. A security replacement for the perimeter that depends on the perimeter for security is Onion-level engineering.

A Symbolic Software report was commissioned by the former CFO of Telegram (Vedeneev) in a Swiss lawsuit, attached with the hope that experts would refute an IStories report. Instead, it confirmed the findings. And then it became discoverable.

This post is about how the defendant in a Telegram case produced technical evidence against himself, and a rebuttal page got pre-positioned against an article whose core claims were already confirmed in writing by the litigant’s own expert. Whew. Ready?

Let me begin with the end of the story. Telegram pre-published a rebuttal to claims, which deepen the hole they have been digging for themselves. Three points stand out:

1. The rebuttal from Telegram claims their an auth_key_id “changes regularly.” Does it? What is regularly? The independent expert review claimed the opposite that it “remains constant across sessions, IP address changes, network switches, and geographic locations.” This contradiction is out in the open for scrutiny.
2. Telegram claims infrastructure is “configured, managed and controlled exclusively by Telegram’s internal engineering teams.” Vedeneev told IStories on the record: “Telegram doesn’t have access to the data centers in Singapore or Miami: they’ve never been there. Four data centers have already been built. We are present in all four. At this point, I provide all communication channels. Not someone else — me!” That’s a hard inversion.
3. Telegram floats a denial that “GNM/Vedeneev not connected to the FSB”, which sits within Vedeneev’s own description of an assigned FSB handler, authorized email accounts for FSB IP-to-identity lookups, and his admission “We understand that we can’t not answer.” Telegram does not address the SORM-servicing contract; it addresses only physical residence and current business operations in Russia, which are not the relationships at issue.

All that nonsense, before we even get to the interesting technical issues?

While people speak about a privacy leak allowing users to be tracked, I hope they also consider that auth_key_id as the server-side lookup handle for the per-device auth_key that Telegram uses to terminate the MTProto transport.

The exposed identifier sits one hop away from the decryption boundary for everything that is not a secret chat, which is the overwhelming majority of Telegram traffic. Non-secret chats are stored server-side under keys Telegram controls. An adversary positioned to harvest auth_key_id values on the wire is positioned at the same infrastructure that terminates the transport and reaches the plaintext store. The expert review was about tracking, but I see an architectural can of worms that is much, much larger.

Telegram meanwhile claims their auth_key_id is just pigeon poop by design. Literally. They say that on telegra.ph.

That is like claiming someone can track your car using pigeon poop on the windshield when they can already see the color, model, direction, speed, and approximate location of any car.

Not to take a tangent, but pigeon poop studies claim certain car brands and colors are targeted more than others.

I also should point out this rebuttal was published May 4, two weeks before the article that it criticizes was released.

Regarding the unpublished article, we reject its conclusions

Telegram replied to an unpublished article in enough detail to draft three sections of technical and reputational defense. The Swiss court discovery exposed the Symbolic Software findings to Telegram. Their rebuttal therefore was most likely a response to discovered expert evidence that Telegram knew would be published. Or the FSB has bugged journalists, but that seems hard to prove.

Speaking of hard to prove, the rebuttal page is signed Telegram, yet it isn’t a corporate domain, isn’t a known spokesperson, doesn’t cite documentation, and most of all doesn’t actually clarify the rotation interval for the auth_key_id. Instead it’s just a branded bunch of analogies and attacks on characterizations.

Here are some clear examples. The generic argument from Telegram that someone “can already see better signals” is bog-standard misdirection to obscure a persistent identifier. A tracking primitive that has cross-session linkability under adversarial conditions makes it different than the others: IP rotation, NAT, VPN cycling, mobile-to-wifi handoffs. If auth_key_id persists across these and rotates on a longer cycle than IPs change, it provides correlation that no other listed signal provides.

Then they make a TLS session ticket comparison.

TLS, the protocol used by most web services and recommended in the article, itself allows a much easier way to link connections from the same user: whenever your browser reconnects to a site over TLS, it typically presents a session ticket in cleartext. This is standard behavior across much of the web.

This is the most technically dishonest part of the rebuttal. A session ticket’s contents are encrypted to the server’s key, but the ticket bytes are visible on the wire, and that visibility is what enables linkage when a ticket gets reused. Modern TLS treats tickets as effectively single-use for this reason, so a given ticket value typically appears in one resumption handshake before rotating. An auth_key_id, by contrast, is bound to a long-lived device key (the auth_key) and appears in cleartext on every MTProto message of every connection. The comparison equates a single-use, resumption-only linkage primitive with a persistent device handle observable on every packet for the lifetime of the device authorization.

And I can’t point out enough that “frequently rotating” depends entirely on the interval versus collection threats. If Telegram is talking days, it persists across most movement. If they mean hours, across most sessions. The rebuttal has no actual interval, which is the single quantitative claim that would settle the question. That omission is a serious problem with the rebuttal.

And the glass-building metaphor rounds out the pigeon poopery. If they are going to admit the window exists, why bother going on another minute? The window exists. For a state-level passive collector at a peering point operated by the alleged compromised party, every persistent identifier matters, because correlation across rotating signals is the entire point of the article it’s supposedly refuting.

Each section in the rebuttal was setup to weakly characterize a future article’s claim, then attack that characterization instead of the actual facts of Telegram. The analogies (pigeon poop, electrician, fuse box) make the argument sound absurd in order to avoid engagement with the substance of the criticism. And then the technical claims are drafted as legal statements prepared for cross-examination, using carve-outs and narrowing modifiers to reduce liability by avoiding clarity.

After all that, I suggest you read thoroughly the Symbolic Software report on Telegram, as presented today by IStories: “Independent Review Confirms Critical Telegram Vulnerability Previously Exposed by IStories“.