lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <beb068900c80ae6b06236ea774c54de2.squirrel@correo.cert.inteco.es>
Date: Mon, 28 Apr 2014 11:17:31 +0200
From: jdiaz@...t.inteco.es
To: fulldisclosure@...lists.org
Subject: [FD] Telegram authentication bypass

Hello,

A security issue affecting Telegram instant messaging service has been
made public by INTECO-CERT. Further details follow.

----------------------------------
Affected products and services:
----------------------------------

Telegram instant messaging service.


----------------------------------
Overview:
----------------------------------

Telegram authentication mechanism may be circumvented, since there is no
way to verify the legitimacy of Telegram’s public keys and thus if the
client is communicating with a legitimate server. This may allow an
attacker leveraging this issue (e.g. by distributing a slightly modified
client) to obtain almost full control of the victim's account. Further,
the behavior of the victim’s client is exactly the same than the behavior
of a legitimate client.

For a detailed analysis, including a PoC, visit:
http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication
(blog post with extended abstract) or
http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf
(detailed research results).

----------------------------------
Timeline:
----------------------------------

2014.03.07 - Initial contact with Telegram security team.
2014.03.10 - Telegram response informing that this issue is out of their
security model.
2014.03.11 - Submission of PoC to Telegram security team.
2014.04.28 - Publication of research results.


Sincerely,

Jesus Diaz



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ