Telegram 4.0.1 Two Factor Authentication Bypass

2017-06-2500:00:00

Shahab Shamsi

packetstormsecurity.com

JSON

`  
Title:  
===============  
Telegram 4.0.1 - "TwoFactor Authentication" ByPass (0day)  
  
  
Author:  
===============  
Shahab Shamsi  
  
  
Vendor Homepage  
===============  
https://telegram.org/  
  
  
Date:  
===============  
2017-06-25  
  
  
Exploitation-Technique:  
===============  
Local,Remote  
  
  
References:  
===============  
Video1: https://www.youtube.com/watch?v=44ZDbvnZILk  
Video2: http://securityman.org/telegram-4-0-1-twofactor-authentication-bypass-0day/  
  
  
Severity Level:  
===============  
High  
  
  
Description:  
===============  
This vulnerability makes you able to bypass the two factors authentication of Telegram account,  
so you can access to the target Telegram account.  
  
on the condition:  
- That You Access To Activation code.  
- Update Telegram Final Version  
  
  
  
  
POC:  
===============  
Step 1 : At first, connect to the target account via one of the Telegram versions.  
Step 2 : Then, inter the activation code of account  
Step 3 : At final step that needs to pass two factors authentication of password, without intering the second password, reset the account.  
  
  
Solution:  
==============  
- This bug prove that two factors authentication of Telegram accounts needs to review,  
  
There is no certain solution to resolve this security problem till now.  
  
  
  
Contact Me :  
==============  
Telegram : @Shahab_Shamsi  
Email : [email protected]  
WebSilte : WwW.iran123.Org  
Tnx : Artin ghafari (Hidden Eagle)  
- Thanks to my dear friend "Artin Ghafari" to record the video and help to discover the bug.  
`

JSON