Telegram: Bypassing the authentication protocol
INCIBE publishes an analysis of the authentication and authorization protocol of the instant messaging application Telegram. This study shows a design problem, including a Proof of Concept, that might allow an attacker bypass the system's authentication and obtain an almost complete control of the account of her victim.
Telegram, the recent incorporation to the market of instant messaging applications, stands out among its competitors due to the combination of a simple user experience and a high level of security. Its protocols, self-developed, have been designed from the beginning with this aspect in mind. Moreover, the protocols are free and the API for interacting with their servers is open, just as the code of the official client.
This enormously facilitates the development of third party applications, and endorses it. In fact, besides the official application, available for Android and iOS, there exist at least 6 unofficial applications, for different devices and environments: Linux, Windows, Mac, in beta stage, and another seven in alpha pre-alpha stage.
Nevertheless, the current study shows that this has important implications concerning the design of the system. Specifically, an attacker that tricks its victims into installing unofficial clients slightly manipulated, but with a behaviour completely legitimate (in appearance), might bypass Telegram's authentication and gain an almost complete control of the account of its victims
Documentos asociados: