Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Telegram authentication bypass

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 28 Apr 2014 21:15:13 +0200
On Mon, 28 Apr 2014 11:17:31 +0200
jdiaz () cert inteco es wrote:


This may allow
an attacker leveraging this issue (e.g. by distributing a slightly
modified client) to obtain almost full control of the victim's
account.


I haven't read the details, but can you please explain how it is an
"attack" if I can control a user if I manage that he installs a
modified client?
I can do anything if a user installs a client I can modify. That's
no surprise and has nothing to do with the protocol in use.

I'm certainly not a fan of telegram's strange security protocol, but
this seriously sounds like strange FUD (haven't read the paper, maybe
it's just a joke or a fake).

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: