[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Telegram - Multiple Vulnerabilities
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: Re: [FD] Telegram - Multiple Vulnerabilities
- From: Uni Sec <unisecure@xxxxxxxxxxx>
- Date: Fri, 2 Oct 2015 10:21:58 +0000
Could you be a little more clear with the process for number 5, the account
hijack and contact import? Isn't intercepting the 5-digit code sufficient to
gain account takeover?
-J
> Date: Tue, 29 Sep 2015 18:53:52 -0300
> From: edudx1@xxxxxxxxx
> To: fulldisclosure@xxxxxxxxxxxx
> Subject: [FD] Telegram - Multiple Vulnerabilities
>
<snip>
> #[5] Hijacking account and importing contacts
>
> If the victim uses only the passcode as two-step verification, we can reset
> her account, and as a result, the attacker creates the possibility for
> importing contacts and hijacking the account:
>
>
> - Attacker asks for token using Telegram-Web
> - Obtains the code
> - Resets account
> - Waits for the victim to log-in
> - Imports contacts (auto)
> - Kills the victim's session
> - Enables Two-Step verification (passcode + email)
>
>
>
> Thanks to:
>
> Leandro Oliveira
> Joaquim Brasil
> Marcelo Pessoa
> Toronto Garcez
> Tiago Barbosa
>
> From Tempest Security Intelligence
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/