How hackers are getting access to 1000s of Telegram accounts

A security hole is letting hackers access Telegram accounts

Telegram is one of the most used messaging apps out there. There are round 200M users using its service. Telegram promotes itself as a private service, and as being very secure. If you go to their webpage, you will see the following.

But one of the ways it designed its login processes has been used by hackers to steal users’ data of politicians around the world. And it is serving as a way to uncover political corruption, and as well as a political tool.

The most recent scandal just happened in Puerto Rico. Governor Ricardo Roselló resigned after his Telegram account was hacked, and a corruption scandal related to Federal funds for hurricane relief and as well as messages with profanity were released to the public:

The same hack happened in Brazil with top officials. Chats were released of the Secretary of Justice, and a total of 1000s Telegram accounts seem to have been compromised:

The problem is that Telegram system allows users to sign in only via a code that is sent via text message. Hackers are exploiting this vulnerability by spoofing other users phone numbers.

Hackers might get a SIM card with the victim’s number. But that is easy to track and it is hard to get access to many accounts. But a new technique allowed Brazilian hackers to access 1000s of accounts without going to a carrier.

Let’s check how they did it. Looking at their testimonial (in Portuguese), we can see that they got access to the users account by spoofing victims’ voicemail by using a service called BRVoz.

First, they figured out how to spoof someone’s voicemail. Voicemail security is extremely weak. If you don’t set up a PIN code for your own voicemail, you can easily go directly to someone’s voicemail. Voice mail prompts can also be accessed via caller ID spoofing. With the advent of caller ID, many voicemail systems have been created that simply check the number calling in and base authentication on that match. Caller ID spoofing services like Spoofcard.com allow people to make it appear that their phone number is the same as the digits they are dialing, making it extremely easy to access someone else’s voicemail.

Even if you setup a PIN code, usually the code is a 4 digit long, meaning that an attacker can just brute force the PIN code with only 10,000 tries.

Now with the access of the victim’s voicemail, the attacker just needs to receive Telegram’s code via voicemail. If the phone is offline at a single moment Telegram will send the code to the victim’s voicemail. Hackers can check if the victim’s phone is offline by sending silent SMS.

You can disable someone’s system by flooding their system by sending a ton of silent SMS, making the phone unavailable (a SMS flooding attack).

The following video shows how to access someone’s account step-by-step:

Step by step how the attack happens

One of the biggest personalities in Brazil had his Telegram account hacked as well. In a tweet, he unveils the fact that he got a call from his own number, meaning that the attackers spoofed his number to get access to his voicemail. That confirms that hackers were getting access to users’ accounts by spoofing their voicemail.

It is surprising that not many other accounts have been compromised, but if Telegram won’t fix this issue, hacks will keep happening. If you are a Telegram user, I would recommend strongly to set up 2FA.

UPDATE (July 30): Telegram contacted me to inform that as of recently it is only possible to request code via call if your account is protected with two-step verification and cannot be accessed without knowing an extra password. For more information visit: https://telegram.org/faq#getting-a-code-via-a-phone-call