Telegram popped again:
---------- Forwarded message ---------- From: <jd...@cert.inteco.es> Date: Mon, Apr 28, 2014 at 2:17 AM Subject: [FD] Telegram authentication bypass To: fulldisclos...@seclists.org Hello, A security issue affecting Telegram instant messaging service has been made public by INTECO-CERT. Further details follow. ---------------------------------- Affected products and services: ---------------------------------- Telegram instant messaging service. ---------------------------------- Overview: ---------------------------------- Telegram authentication mechanism may be circumvented, since there is no way to verify the legitimacy of Telegram’s public keys and thus if the client is communicating with a legitimate server. This may allow an attacker leveraging this issue (e.g. by distributing a slightly modified client) to obtain almost full control of the victim's account. Further, the behavior of the victim’s client is exactly the same than the behavior of a legitimate client. For a detailed analysis, including a PoC, visit: http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication (blog post with extended abstract) or http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf (detailed research results). ---------------------------------- Timeline: ---------------------------------- 2014.03.07 - Initial contact with Telegram security team. 2014.03.10 - Telegram response informing that this issue is out of their security model. 2014.03.11 - Submission of PoC to Telegram security team. 2014.04.28 - Publication of research results. Sincerely, Jesus Diaz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Tony Arcieri On Wed, Apr 2, 2014 at 7:05 PM, Tony Arcieri <basc...@gmail.com> wrote: > On Wed, Apr 2, 2014 at 6:34 PM, Steve Weis <stevew...@gmail.com> wrote: > >> Regardless, I think if someone had noticed the flaw sooner, they could >> have recovered the 48-bits of LCG state and won the contest. >> > The insidious thing the Telegram developers continue to do is point to the > fact nobody one their contest as evidence the software is secure while > downplaying the fact that multiple security vulnerabilities were found and > they paid out $100,000. > > The contest is silly and irrelevant, but it is successful marketing. The > New York Times reported on March 19th, 2014: > > > http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/ > > "In the first contest, which ended March 1, no one managed to crack the > encryption." > > This despite the fact that serious vulnerabilities were discovered in > 2013. Telegram is utilizing the "contests" as talking points for successful > marketing, while managing to keep the serious flaws in the design and the > security vulnerabilities that have been discovered out of the public eye. > > As a security practitioner I consider this sort of behavior disgraceful > and unbecoming of the developers of cryptography software. > > -- > Tony Arcieri > -- Tony Arcieri
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.