I should note the "paper" I just linked suggests that you install a malware client, which is rather silly of them. At least in this particular case, the results seem overblown.
On Mon, Apr 28, 2014 at 11:10 AM, Tony Arcieri <[email protected]> wrote: > Telegram popped again: > > > > ---------- Forwarded message ---------- > From: <[email protected]> > Date: Mon, Apr 28, 2014 at 2:17 AM > Subject: [FD] Telegram authentication bypass > To: [email protected] > > > Hello, > > A security issue affecting Telegram instant messaging service has been > made public by INTECO-CERT. Further details follow. > > ---------------------------------- > Affected products and services: > ---------------------------------- > > Telegram instant messaging service. > > > ---------------------------------- > Overview: > ---------------------------------- > > Telegram authentication mechanism may be circumvented, since there is no > way to verify the legitimacy of Telegram’s public keys and thus if the > client is communicating with a legitimate server. This may allow an > attacker leveraging this issue (e.g. by distributing a slightly modified > client) to obtain almost full control of the victim's account. Further, > the behavior of the victim’s client is exactly the same than the behavior > of a legitimate client. > > For a detailed analysis, including a PoC, visit: > > http://www.inteco.es/blogs/post/Seguridad/BlogSeguridad/Articulo_y_comentarios/telegram_authentication > (blog post with extended abstract) or > > http://cert.inteco.es/extfrontinteco/img/File/intecocert/EstudiosInformes/INT_Telegram_EN.pdf > (detailed research results). > > ---------------------------------- > Timeline: > ---------------------------------- > > 2014.03.07 - Initial contact with Telegram security team. > 2014.03.10 - Telegram response informing that this issue is out of their > security model. > 2014.03.11 - Submission of PoC to Telegram security team. > 2014.04.28 - Publication of research results. > > > Sincerely, > > Jesus Diaz > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > -- > Tony Arcieri > > > On Wed, Apr 2, 2014 at 7:05 PM, Tony Arcieri <[email protected]> wrote: > >> On Wed, Apr 2, 2014 at 6:34 PM, Steve Weis <[email protected]> wrote: >> >>> Regardless, I think if someone had noticed the flaw sooner, they could >>> have recovered the 48-bits of LCG state and won the contest. >>> >> The insidious thing the Telegram developers continue to do is point to >> the fact nobody one their contest as evidence the software is secure while >> downplaying the fact that multiple security vulnerabilities were found and >> they paid out $100,000. >> >> The contest is silly and irrelevant, but it is successful marketing. The >> New York Times reported on March 19th, 2014: >> >> >> http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/ >> >> "In the first contest, which ended March 1, no one managed to crack the >> encryption." >> >> This despite the fact that serious vulnerabilities were discovered in >> 2013. Telegram is utilizing the "contests" as talking points for successful >> marketing, while managing to keep the serious flaws in the design and the >> security vulnerabilities that have been discovered out of the public eye. >> >> As a security practitioner I consider this sort of behavior disgraceful >> and unbecoming of the developers of cryptography software. >> >> -- >> Tony Arcieri >> > > > > -- > Tony Arcieri > -- Tony Arcieri
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
