[liberationtech] About Telegram

Tony Arcieri bascule at gmail.com
Mon Apr 28 11:10:31 PDT 2014

Telegram popped again:

---------- Forwarded message ----------
From: <jdiaz at cert.inteco.es>
Date: Mon, Apr 28, 2014 at 2:17 AM
Subject: [FD] Telegram authentication bypass
To: fulldisclosure at seclists.org


A security issue affecting Telegram instant messaging service has been
made public by INTECO-CERT. Further details follow.

Affected products and services:

Telegram instant messaging service.


Telegram authentication mechanism may be circumvented, since there is no
way to verify the legitimacy of Telegram’s public keys and thus if the
client is communicating with a legitimate server. This may allow an
attacker leveraging this issue (e.g. by distributing a slightly modified
client) to obtain almost full control of the victim's account. Further,
the behavior of the victim’s client is exactly the same than the behavior
of a legitimate client.

For a detailed analysis, including a PoC, visit:
(blog post with extended abstract) or
(detailed research results).


2014.03.07 - Initial contact with Telegram security team.
2014.03.10 - Telegram response informing that this issue is out of their
security model.
2014.03.11 - Submission of PoC to Telegram security team.
2014.04.28 - Publication of research results.


Jesus Diaz

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Tony Arcieri

On Wed, Apr 2, 2014 at 7:05 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Wed, Apr 2, 2014 at 6:34 PM, Steve Weis <steveweis at gmail.com> wrote:
>> Regardless, I think if someone had noticed the flaw sooner, they could
>> have recovered the 48-bits of LCG state and won the contest.
> The insidious thing the Telegram developers continue to do is point to the
> fact nobody one their contest as evidence the software is secure while
> downplaying the fact that multiple security vulnerabilities were found and
> they paid out $100,000.
> The contest is silly and irrelevant, but it is successful marketing. The
> New York Times reported on March 19th, 2014:
> http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/
> "In the first contest, which ended March 1, no one managed to crack the
> encryption."
> This despite the fact that serious vulnerabilities were discovered in
> 2013. Telegram is utilizing the "contests" as talking points for successful
> marketing, while managing to keep the serious flaws in the design and the
> security vulnerabilities that have been discovered out of the public eye.
> As a security practitioner I consider this sort of behavior disgraceful
> and unbecoming of the developers of cryptography software.
> --
> Tony Arcieri

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140428/84384357/attachment.html>

More information about the liberationtech mailing list