Why two-factor authentication in Telegram does not work
After the recent high-profile hacking of Telegram accounts in Russia, the founder of the service, Pavel Durov, said that two-factor authorization "allows you to protect important information."
Yes, if the two-factor authentication in Telegram is enabled, then the attacker who hijacked your account will not receive the history of your correspondence - but this two-factor does not protect against theft, although it seems like it should.
That is, if an attacker can receive your SMS with a login code, then he is guaranteed to hijack your account, regardless of whether you have two-factor authentication enabled or not.
By “hijack” I understand “can enter the Telegram application under your phone number” and write messages on your behalf to your contacts.
')
It happens as follows:
1. The attacker in his application indicates the phone number of the victim and tries to enter the account. Here he sees a message that the code was sent not by SMS, but to the application registered to this number on another device:
2. At this point, the victim receives a system notification in his application (or applications) Telegram:
3. The attacker clicks "Didn't get the code?" And Telegram sends the code via SMS:
4. Here the attacker enters the code from the SMS and finds out that two-factor authorization is enabled in the account settings and that he needs to enter a password (in this case, “10” is a hint for the password chosen when the two-factor was turned on):
5. Next, the attacker pretends that he forgot the password - “Forgot password?”. Here the attacker is informed that the recovery code has been sent by e-mail (if the victim specified the e-mail address when the two-factor authentication was enabled). The attacker does not see the email address - he sees only that after the "dog":
6. At this point, the victim receives a code to reset the password to an email address (if she specified an email address when enabling two-factor authentication):
7. The attacker clicks "ok" and sees a window where you need to enter the code to reset the password that was sent to the email. Here the attacker says that he has problems with access to his mail - “Having trouble accessing your e-mail?”. Then Telegram offers “reset your account”:
8. The attacker clicks "ok" and sees two options - either enter a password, or press "RESET MY ACCOUNT". Telegram explains that when you “reinstall” your account, all correspondence and files from all chats will be lost:
9. The attacker presses "RESET MY ACCOUNT" and sees a warning that this action cannot be undone and that all messages and chats will be deleted:
10. The attacker clicks "RESET" and Telegram asks for a name for the "reinstalled" account:
11. Actually, everything, the attacker successfully hijacked the account: he entered under the victim's phone number and can write messages on her behalf:
12. The victim sees the application as it was immediately after installation. The welcome screen tells about Telegram and offers to register or enter an existing account:
13. When an attacker writes on behalf of a victim to someone from the victim's contacts, this contact sees that the victim has just joined Telegram (which is suspicious), as well as a new message (or messages) in the new chat from the victim. After 12–16 hours, the contact will also see that in the old chat rooms the victim’s name is “Deleted Account”:
If the victim is able to receive SMS on this phone number, she can enter the Telegram application on her device. If an attacker on a hijacked account has not enabled two-factor authentication, the victim can enter the Settings => Privacy and Security => Active Sessions menu and terminate all other sessions (that is, the attacker's session):
If an attacker on a hijacked account has enabled two-factor authentication, the victim, in turn, in the same way can “hijack back” his account.
It turns out that the only benefit from two-factor authentication in Telegram is that the attacker does not receive correspondence from the usual non-secret chat rooms (if you steal an account without the two-factor account enabled, then the attacker will receive the entire history of correspondence from unclassified chat rooms, from the secret chat rooms he will not receive anything ). That is, a Telegram with enabled two-factor authentication gives approximately the same thing as Signal and WhatsApp do so without any two-factor authentication.
In other words, two-factor authorization in Telegram is not quite real, Telegram still allows you to log in using only one factor - the code from the SMS.
The situation is somewhat anecdotal: here you are, users, two-factor authorization. The first factor is the code from the SMS (which I have), the second factor is the password (which I know). It sounds great, but when the user says - but I forgot the password, Telegram says - well, nothing happens, log in without a password and use your health :)
This was found experimentally through a slightly larger study on Telegram, WhatsApp and Signal - “ How“ protected ”messengers are protected from SMS theft ”
Yes, if the two-factor authentication in Telegram is enabled, then the attacker who hijacked your account will not receive the history of your correspondence - but this two-factor does not protect against theft, although it seems like it should.
That is, if an attacker can receive your SMS with a login code, then he is guaranteed to hijack your account, regardless of whether you have two-factor authentication enabled or not.
By “hijack” I understand “can enter the Telegram application under your phone number” and write messages on your behalf to your contacts.
')
It happens as follows:
1. The attacker in his application indicates the phone number of the victim and tries to enter the account. Here he sees a message that the code was sent not by SMS, but to the application registered to this number on another device:
2. At this point, the victim receives a system notification in his application (or applications) Telegram:
3. The attacker clicks "Didn't get the code?" And Telegram sends the code via SMS:
4. Here the attacker enters the code from the SMS and finds out that two-factor authorization is enabled in the account settings and that he needs to enter a password (in this case, “10” is a hint for the password chosen when the two-factor was turned on):
5. Next, the attacker pretends that he forgot the password - “Forgot password?”. Here the attacker is informed that the recovery code has been sent by e-mail (if the victim specified the e-mail address when the two-factor authentication was enabled). The attacker does not see the email address - he sees only that after the "dog":
6. At this point, the victim receives a code to reset the password to an email address (if she specified an email address when enabling two-factor authentication):
7. The attacker clicks "ok" and sees a window where you need to enter the code to reset the password that was sent to the email. Here the attacker says that he has problems with access to his mail - “Having trouble accessing your e-mail?”. Then Telegram offers “reset your account”:
8. The attacker clicks "ok" and sees two options - either enter a password, or press "RESET MY ACCOUNT". Telegram explains that when you “reinstall” your account, all correspondence and files from all chats will be lost:
9. The attacker presses "RESET MY ACCOUNT" and sees a warning that this action cannot be undone and that all messages and chats will be deleted:
10. The attacker clicks "RESET" and Telegram asks for a name for the "reinstalled" account:
11. Actually, everything, the attacker successfully hijacked the account: he entered under the victim's phone number and can write messages on her behalf:
12. The victim sees the application as it was immediately after installation. The welcome screen tells about Telegram and offers to register or enter an existing account:
13. When an attacker writes on behalf of a victim to someone from the victim's contacts, this contact sees that the victim has just joined Telegram (which is suspicious), as well as a new message (or messages) in the new chat from the victim. After 12–16 hours, the contact will also see that in the old chat rooms the victim’s name is “Deleted Account”:
If the victim is able to receive SMS on this phone number, she can enter the Telegram application on her device. If an attacker on a hijacked account has not enabled two-factor authentication, the victim can enter the Settings => Privacy and Security => Active Sessions menu and terminate all other sessions (that is, the attacker's session):
If an attacker on a hijacked account has enabled two-factor authentication, the victim, in turn, in the same way can “hijack back” his account.
It turns out that the only benefit from two-factor authentication in Telegram is that the attacker does not receive correspondence from the usual non-secret chat rooms (if you steal an account without the two-factor account enabled, then the attacker will receive the entire history of correspondence from unclassified chat rooms, from the secret chat rooms he will not receive anything ). That is, a Telegram with enabled two-factor authentication gives approximately the same thing as Signal and WhatsApp do so without any two-factor authentication.
In other words, two-factor authorization in Telegram is not quite real, Telegram still allows you to log in using only one factor - the code from the SMS.
The situation is somewhat anecdotal: here you are, users, two-factor authorization. The first factor is the code from the SMS (which I have), the second factor is the password (which I know). It sounds great, but when the user says - but I forgot the password, Telegram says - well, nothing happens, log in without a password and use your health :)
This was found experimentally through a slightly larger study on Telegram, WhatsApp and Signal - “ How“ protected ”messengers are protected from SMS theft ”
Source: https://habr.com/ru/post/357108/
All Articles