Could you be a little more clear with the process for number 5, the account hijack and contact import? Isn't intercepting the 5-digit code sufficient to gain account takeover? -J > Date: Tue, 29 Sep 2015 18:53:52 -0300 > From: [email protected] > To: [email protected] > Subject: [FD] Telegram - Multiple Vulnerabilities >
<snip> > #[5] Hijacking account and importing contacts > > If the victim uses only the passcode as two-step verification, we can reset > her account, and as a result, the attacker creates the possibility for > importing contacts and hijacking the account: > > > - Attacker asks for token using Telegram-Web > - Obtains the code > - Resets account > - Waits for the victim to log-in > - Imports contacts (auto) > - Kills the victim's session > - Enables Two-Step verification (passcode + email) > > > > Thanks to: > > Leandro Oliveira > Joaquim Brasil > Marcelo Pessoa > Toronto Garcez > Tiago Barbosa > > From Tempest Security Intelligence > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
