At the end of May of this year, I wrote
Why two-factor authentication in Telegram does not work (with pictures).
Later, about a month after the publication,
it happened to Sergey Parkhomenko - his account was hijacked in the described manner.
After that, it seems like
Telegram has temporarily disabled the ability to delete profiles protected by two-factor authentication in the messenger by code from SMS .
')
About two weeks ago, I repeated my May experiment with hijacking a Telegram account with myself — and everything worked out again, just like
last time .
In short, as of August 18, 2016, the attack on accounts protected by two-factor authentication again works successfully: an attacker who has access to the user's SMS can “reinstall” the account, and for this he does not need to know the password:
In the screenshot we see the result of the fact that the interlocutor hijacked the account protected by two-factor authentication, and wrote messages on his behalf.
That is, if that, two-factor authentication in the Telegram is currently not working.
Or again - if this opportunity was really turned off in June, or still - if no one did.