The Telegram messenger fixed the vulnerability that allowed hacking other people’s accounts through voicemail.During the last several months, attackers have cracked more than a thousand accounts of Brazilian users through this vulnerability.
Last week it was reported that Brazilian law enforcement agencies arrested four suspects in hacking 1000 Telegram accounts.
“Some of the most high-profile victims of recent attacks include Brazil’s President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes”, — reports ZDNet periodical.
The essence of the method is that most instant messengers allow users to receive one-time access codes via SMS, as well as in the form of voice messages. Additionally, users of instant messengers who have an active voice mail function are at risk if they did not change the password for voice mail by default, since in most cases this is “0000” or “1234”.
Bar-Zeke discovered that if the number is busy with another call, or if the user does not answer the call three times in a row, the one-time confirmation code is eventually redirected to user’s voicemail account. From there it is quite easy to extract it, if the victim did not change the password.
According to the Brazilian authorities, four hackers installed Telegram applications on their devices, but did not indicate their phone numbers, but the numbers of well-known politicians.
Then they requested authentication through a voice message, and at that time, they made calls to the recipients’ phones so that the one-time access code was sent to voice mail. Next, suspects imitated the phone numbers of the victims (using VoIP), used the default password to access the voice mail account, received a one-time code and tied the victim’s Telegram account to their device, that is, got full access to the account and the entire history of messages.
Developers of Telegram did not ignore the resonant hacking of accounts of Brazilian politicians. Last weekend, the messenger received an update, which is designed to prevent similar attacks in future.
“As a rule, it is possible to request a code, if you wish, it is protected with a two-step verification”, – a Telegram spokesperson told.
Of course, this fix is available not only to Brazilian users, but to all Telegram users.
However, it is worth remembering that account compromise via voice mail works not only for Telegram. For the first time such an attack was demonstrated on the example of WhatsApp, and then it was proved that the method works for Facebook, Google, Twitter, WordPress, eBay, PayPal and many other services.
Since their developers did not take any additional protective measures, users are highly recommended to change the default password for voicemail.