[liberationtech] About Telegram
Tony Arcieri
bascule at gmail.com
Mon Apr 28 22:29:56 PDT 2014
I should note the "paper" I just linked suggests that you install a malware
client, which is rather silly of them. At least in this particular case,
the results seem overblown.
On Mon, Apr 28, 2014 at 11:10 AM, Tony Arcieri <bascule at gmail.com> wrote:
> Telegram popped again:
>
>
>
> ---------- Forwarded message ----------
> From: <jdiaz at cert.inteco.es>
> Date: Mon, Apr 28, 2014 at 2:17 AM
> Subject: [FD] Telegram authentication bypass
> To: fulldisclosure at seclists.org
>
>
> Hello,
>
> A security issue affecting Telegram instant messaging service has been
> made public by INTECO-CERT. Further details follow.
>
> ----------------------------------
> Affected products and services:
> ----------------------------------
>
> Telegram instant messaging service.
>
>
> ----------------------------------
> Overview:
> ----------------------------------
>
> Telegram authentication mechanism may be circumvented, since there is no
> way to verify the legitimacy of Telegram’s public keys and thus if the
> client is communicating with a legitimate server. This may allow an
> attacker leveraging this issue (e.g. by distributing a slightly modified
> client) to obtain almost full control of the victim's account. Further,
> the behavior of the victim’s client is exactly the same than the behavior
> of a legitimate client.
>
> For a detailed analysis, including a PoC, visit:
>
> http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication
> (blog post with extended abstract) or
>
> http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf
> (detailed research results).
>
> ----------------------------------
> Timeline:
> ----------------------------------
>
> 2014.03.07 - Initial contact with Telegram security team.
> 2014.03.10 - Telegram response informing that this issue is out of their
> security model.
> 2014.03.11 - Submission of PoC to Telegram security team.
> 2014.04.28 - Publication of research results.
>
>
> Sincerely,
>
> Jesus Diaz
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
>
> --
> Tony Arcieri
>
>
> On Wed, Apr 2, 2014 at 7:05 PM, Tony Arcieri <bascule at gmail.com> wrote:
>
>> On Wed, Apr 2, 2014 at 6:34 PM, Steve Weis <steveweis at gmail.com> wrote:
>>
>>> Regardless, I think if someone had noticed the flaw sooner, they could
>>> have recovered the 48-bits of LCG state and won the contest.
>>>
>> The insidious thing the Telegram developers continue to do is point to
>> the fact nobody one their contest as evidence the software is secure while
>> downplaying the fact that multiple security vulnerabilities were found and
>> they paid out $100,000.
>>
>> The contest is silly and irrelevant, but it is successful marketing. The
>> New York Times reported on March 19th, 2014:
>>
>>
>> http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/
>>
>> "In the first contest, which ended March 1, no one managed to crack the
>> encryption."
>>
>> This despite the fact that serious vulnerabilities were discovered in
>> 2013. Telegram is utilizing the "contests" as talking points for successful
>> marketing, while managing to keep the serious flaws in the design and the
>> security vulnerabilities that have been discovered out of the public eye.
>>
>> As a security practitioner I consider this sort of behavior disgraceful
>> and unbecoming of the developers of cryptography software.
>>
>> --
>> Tony Arcieri
>>
>
>
>
> --
> Tony Arcieri
>
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140428/75d479c8/attachment.html>
More information about the liberationtech
mailing list