Date: Mon, 28 Apr 2014 11:17:31 +0200
From: jdiaz@...t.inteco.es
To: fulldisclosure@...lists.org
Subject: [FD] Telegram authentication bypass

Hello,

A security issue affecting Telegram instant messaging service has been
made public by INTECO-CERT. Further details follow.

----------------------------------
Affected products and services:
----------------------------------

Telegram instant messaging service.


----------------------------------
Overview:
----------------------------------

Telegram authentication mechanism may be circumvented, since there is no
way to verify the legitimacy of Telegram’s public keys and thus if the
client is communicating with a legitimate server. This may allow an
attacker leveraging this issue (e.g. by distributing a slightly modified
client) to obtain almost full control of the victim's account. Further,
the behavior of the victim’s client is exactly the same than the behavior
of a legitimate client.

For a detailed analysis, including a PoC, visit:
http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication
(blog post with extended abstract) or
http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf
(detailed research results).

----------------------------------
Timeline:
----------------------------------

2014.03.07 - Initial contact with Telegram security team.
2014.03.10 - Telegram response informing that this issue is out of their
security model.
2014.03.11 - Submission of PoC to Telegram security team.
2014.04.28 - Publication of research results.


Sincerely,

Jesus Diaz



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists