Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] About Telegram

Tony Arcieri bascule at gmail.com
Mon Apr 28 11:10:31 PDT 2014


Telegram popped again:



---------- Forwarded message ----------
From: <jdiaz at cert.inteco.es>
Date: Mon, Apr 28, 2014 at 2:17 AM
Subject: [FD] Telegram authentication bypass
To: fulldisclosure at seclists.org


Hello,

A security issue affecting Telegram instant messaging service has been
made public by INTECO-CERT. Further details follow.

----------------------------------
Affected products and services:
----------------------------------

Telegram instant messaging service.


----------------------------------
Overview:
----------------------------------

Telegram authentication mechanism may be circumvented, since there is no
way to verify the legitimacy of Telegram’s public keys and thus if the
client is communicating with a legitimate server. This may allow an
attacker leveraging this issue (e.g. by distributing a slightly modified
client) to obtain almost full control of the victim's account. Further,
the behavior of the victim’s client is exactly the same than the behavior
of a legitimate client.

For a detailed analysis, including a PoC, visit:
http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication
(blog post with extended abstract) or
http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf
(detailed research results).

----------------------------------
Timeline:
----------------------------------

2014.03.07 - Initial contact with Telegram security team.
2014.03.10 - Telegram response informing that this issue is out of their
security model.
2014.03.11 - Submission of PoC to Telegram security team.
2014.04.28 - Publication of research results.


Sincerely,

Jesus Diaz



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



-- 
Tony Arcieri


On Wed, Apr 2, 2014 at 7:05 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Wed, Apr 2, 2014 at 6:34 PM, Steve Weis <steveweis at gmail.com> wrote:
>
>> Regardless, I think if someone had noticed the flaw sooner, they could
>> have recovered the 48-bits of LCG state and won the contest.
>>
> The insidious thing the Telegram developers continue to do is point to the
> fact nobody one their contest as evidence the software is secure while
> downplaying the fact that multiple security vulnerabilities were found and
> they paid out $100,000.
>
> The contest is silly and irrelevant, but it is successful marketing. The
> New York Times reported on March 19th, 2014:
>
>
> http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/
>
> "In the first contest, which ended March 1, no one managed to crack the
> encryption."
>
> This despite the fact that serious vulnerabilities were discovered in
> 2013. Telegram is utilizing the "contests" as talking points for successful
> marketing, while managing to keep the serious flaws in the design and the
> security vulnerabilities that have been discovered out of the public eye.
>
> As a security practitioner I consider this sort of behavior disgraceful
> and unbecoming of the developers of cryptography software.
>
> --
> Tony Arcieri
>



-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140428/84384357/attachment.html>


More information about the liberationtech mailing list