Title: =============== Telegram 4.0.1 - TwoFactor Authentication ByPass (0day) Author: =============== Shahab Shamsi Vendor Homepage =============== https://telegram.org/ Date: =============== 2017-06-25 Exploitation-Technique: =============== Local,Remote References: =============== Video1: https://www.youtube.com/watch?v=44ZDbvnZILk Video2: http://securityman.org/telegram-4-0-1-twofactor-authentication-bypass-0day/ Severity Level: =============== High Description: =============== This vulnerability makes you able to bypass the two factors authentication of Telegram account, so you can access to the target Telegram account. on the condition: - That You Access To Activation code. - Update Telegram Final Version POC: =============== Step 1 : At first, connect to the target account via one of the Telegram versions. Step 2 : Then, inter the activation code of account Step 3 : At final step that needs to pass two factors authentication of password, without intering the second password, reset the account. Solution: ============== - This bug prove that two factors authentication of Telegram accounts needs to review, There is no certain solution to resolve this security problem till now. Contact Me : ============== Telegram : @Shahab_Shamsi Email : info@securityman.org WebSilte : WwW.iran123.Org Tnx : Artin ghafari (Hidden Eagle) - Thanks to my dear friend "Artin Ghafari" to record the video and help to discover the bug.