Telegram compromised in Iran via SMS confirmation messsages

jonathanstray · 2016-08-12 16:23:12 UTC

SMS confirmation messages on account creation were supposed to make things more secure, ended up making them less secure, because the phone company gave them to the state.

As far as the SMS vulnerability goes, Anderson and Guarnieri said it lies in the use of text messages to activate new devices. When logging into a new device, Telegram sends authorization codes via SMS.

Those are the messages reportedly intercepted. According to the researchers, the phone company might have intercepted the codes and shared them with hackers: a danger in any country wherein carriers are owned or heavily influenced by the government.

Once the attackers had the codes, they could add new devices to a target’s Telegram account and read both new messages and chat histories.

mshelton · 2016-08-12 18:02:37 UTC

Here's Telegram's response.

From that article…

As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we've been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.

If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-Step Verification to protect your account with a password. If you do that, there's nothing an attacker can do.

I thought it was a bit odd that Telegram framed SMS interception as a non-problem, because users were warned about it and told to set up a password.