Full Disclosure mailing list archives
Re: Telegram - Multiple Vulnerabilities
From: Uni Sec <unisecure () outlook com>
Date: Fri, 2 Oct 2015 10:21:58 +0000
Could you be a little more clear with the process for number 5, the account hijack and contact import? Isn't intercepting the 5-digit code sufficient to gain account takeover? -J
Date: Tue, 29 Sep 2015 18:53:52 -0300 From: edudx1 () gmail com To: fulldisclosure () seclists org Subject: [FD] Telegram - Multiple Vulnerabilities
<snip>
#[5] Hijacking account and importing contacts If the victim uses only the passcode as two-step verification, we can reset her account, and as a result, the attacker creates the possibility for importing contacts and hijacking the account: - Attacker asks for token using Telegram-Web - Obtains the code - Resets account - Waits for the victim to log-in - Imports contacts (auto) - Kills the victim's session - Enables Two-Step verification (passcode + email) Thanks to: Leandro Oliveira Joaquim Brasil Marcelo Pessoa Toronto Garcez Tiago Barbosa From Tempest Security Intelligence _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Telegram - Multiple Vulnerabilities Eduardo Alves (Oct 01)
- Re: Telegram - Multiple Vulnerabilities Uni Sec (Oct 05)