[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Telegram authentication bypass
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Telegram authentication bypass
- From: jdiaz@xxxxxxxxxxxxxx
- Date: Mon, 28 Apr 2014 11:17:31 +0200
Hello,
A security issue affecting Telegram instant messaging service has been
made public by INTECO-CERT. Further details follow.
----------------------------------
Affected products and services:
----------------------------------
Telegram instant messaging service.
----------------------------------
Overview:
----------------------------------
Telegram authentication mechanism may be circumvented, since there is no
way to verify the legitimacy of Telegram?s public keys and thus if the
client is communicating with a legitimate server. This may allow an
attacker leveraging this issue (e.g. by distributing a slightly modified
client) to obtain almost full control of the victim's account. Further,
the behavior of the victim?s client is exactly the same than the behavior
of a legitimate client.
For a detailed analysis, including a PoC, visit:
http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication
(blog post with extended abstract) or
http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf
(detailed research results).
----------------------------------
Timeline:
----------------------------------
2014.03.07 - Initial contact with Telegram security team.
2014.03.10 - Telegram response informing that this issue is out of their
security model.
2014.03.11 - Submission of PoC to Telegram security team.
2014.04.28 - Publication of research results.
Sincerely,
Jesus Diaz
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/