Two-factor authentication in Telegram still / again does not work

At the end of May of this year, I wrote Why two-factor authentication in Telegram does not work (with pictures).



Later, about a month after the publication, it happened to Sergey Parkhomenko - his account was hijacked in the described manner.



After that, it seems like Telegram has temporarily disabled the ability to delete profiles protected by two-factor authentication in the messenger by code from SMS .

')

About two weeks ago, I repeated my May experiment with hijacking a Telegram account with myself — and everything worked out again, just like last time .



In short, as of August 18, 2016, the attack on accounts protected by two-factor authentication again works successfully: an attacker who has access to the user's SMS can “reinstall” the account, and for this he does not need to know the password:







In the screenshot we see the result of the fact that the interlocutor hijacked the account protected by two-factor authentication, and wrote messages on his behalf.



That is, if that, two-factor authentication in the Telegram is currently not working.

Or again - if this opportunity was really turned off in June, or still - if no one did.