| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Oct 2015 10:21:58 +0000 From: Uni Sec <unisecure@...look.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Telegram - Multiple Vulnerabilities Could you be a little more clear with the process for number 5, the account hijack and contact import? Isn't intercepting the 5-digit code sufficient to gain account takeover? -J > Date: Tue, 29 Sep 2015 18:53:52 -0300 > From: edudx1@...il.com > To: fulldisclosure@...lists.org > Subject: [FD] Telegram - Multiple Vulnerabilities > <snip> > #[5] Hijacking account and importing contacts > > If the victim uses only the passcode as two-step verification, we can reset > her account, and as a result, the attacker creates the possibility for > importing contacts and hijacking the account: > > > - Attacker asks for token using Telegram-Web > - Obtains the code > - Resets account > - Waits for the victim to log-in > - Imports contacts (auto) > - Kills the victim's session > - Enables Two-Step verification (passcode + email) > > > > Thanks to: > > Leandro Oliveira > Joaquim Brasil > Marcelo Pessoa > Toronto Garcez > Tiago Barbosa > > From Tempest Security Intelligence > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists