In a blog post and a publication (PDF), Diaz Vico details how an attacker could potentially circumvent Telegram's authentication protocols by launching a 'Man-in-the-Middle attack' using a malicious third-party client as its main weapon. A successful exploitation of this attack, he writes, would give an attacker full control over the victim’s Telegram account.
Telegram is largely open-source, and the company behind the messaging app offers an open API, enabling anyone to build clients of their own. This causes a security issue, says Diaz Vico, because the company thus promotes the development of unofficial apps that could, potentially, be used to circumvent Telegram's security measures.
Is this a design flaw and is Telegram broken, or is this the kind of attack that can't really be prevented in any way?
Telegram, for its part, argues that malicious client software falls outside of its security scope as they can't really protect against it, advising people - with good reason - to only trust official and sanctioned Telegram client apps. For what it's worth, Diaz Vico says that's not enough, as even 'trusted' apps need to have advanced security measures in place to prevent exploitation of the vulnerability.
Too far-fetched or a legitimate concern? Worth a closer look by crypto experts as Telegram spreads.
Source: Hacker News