Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Telegram - Multiple Vulnerabilities

From: Uni Sec <unisecure () outlook com>
Date: Fri, 2 Oct 2015 10:21:58 +0000
Could you be a little more clear with the process for number 5, the account hijack and contact import? Isn't 
intercepting the 5-digit code sufficient to gain account takeover?
-J

Date: Tue, 29 Sep 2015 18:53:52 -0300
From: edudx1 () gmail com
To: fulldisclosure () seclists org
Subject: [FD] Telegram - Multiple Vulnerabilities



<snip>

#[5] Hijacking account and importing contacts

If the victim uses only the passcode as two-step verification, we can reset
her account, and as a result, the attacker creates the possibility for
importing contacts and hijacking the account:


- Attacker asks for token using Telegram-Web
- Obtains the code
- Resets account
- Waits for the victim to log-in
- Imports contacts (auto)
- Kills the victim's session
- Enables Two-Step verification (passcode + email)



Thanks to:

Leandro Oliveira
Joaquim Brasil
Marcelo Pessoa
Toronto Garcez
Tiago Barbosa

From Tempest Security Intelligence

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

                                          

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: