Unveiling Messenger Weaknesses: Understanding How Hackers Can Infiltrate and Compromise Your Device

Big thanks to  my TG  channel  follower  for bringing up this crucial subject, researchers have recently observed a marked rise in account hijackings, particularly with Telegram. It is important to mention that phishing and social engineering are often used in tandem in the majority of cases.

However, I want to talk about instances today where accounts are compromised due to messenger  vulnerabilities  rather than phishing attacks (which, thankfully, are usually quickly fixed):

1. CVE-2022–36934 (critical vulnerability in WhatsApp) — allowed to execute RCE via buffer overflow while performing a video call;

2. CVE-2022–27492 (vulnerability in WhatsApp) — allowed to execute RCE by sending a pre-created video file;

3. In 2017, there were many news pieces about the possibility of hijacking Telegram and WhatsApp account by sending (just) an image file. And you didn’t necessarily need to download it to your phone to get infected with a malware. However, I have not found any confirmation of this CVE so far.

What conclusions can be drawn here? Aside from 2FA, mail binding, and other features, the best thing to do in messengers is turn off file auto-downloading.

To disable  auto-downloading  on Telegram, go to “Privacy & Security → Data Settings”. This applies to both wifi and cellular connections. You never know what will be  sent  to you, and what 0-day was released just yesterday, so always remember that forewarned is forearmed, and take all necessary security precautions ahead of time before it is too late.

Naturally, you should always keep in mind that unless you learn to be a little more cautious about what and where you enter, send, and open, no antivirus software or two-factor authentication will be of any use!

Private or Anonymous?

In today’s interconnected digital landscape, the importance of securing our online accounts cannot be overstated. As individuals increasingly rely on instant messaging platforms for communication, the necessity to protect our privacy and personal  information  has become paramount. Particularly, when it comes to Telegram — an app renowned for its privacy features and encryption — it is essential to understand the criticality of securing our accounts in order to fortify our digital  presence  against potential threats from malicious actors.

Telegram’s extensive user base and emphasis on privacy have made it an appealing choice for  individuals  and organizations seeking a secure means of communication. However, while Telegram offers robust security features, it is imperative for users to take  proactive  measures to safeguard their accounts and protect their sensitive information.

In essence, the need to secure your Telegram account transcends individual benefit — it extends to  fostering  a more secure and privacy-conscious digital community. By prioritizing account security and  implementing  robust measures to fortify your presence on the platform, you not only safeguard your own privacy and information but also contribute to elevating the overall security posture of the Telegram network.

Speaking seriously, human freedom is predicated on privacy; without it, decisions can be easily swayed by  everything  from criminal prosecutions to public censure to coercive measures. I feel that there should be no  exceptions  to the rule that  privacy  must be protected. Your data belongs to you and only to you, not to any third parties like corporations, hackers, or special services.

With all said, it is imperative to differentiate between  anonymity  and privacy. Privacy  means  that people can clearly tell who you are, but they don’t know what you would do. Being anonymous  suggests  that, despite what you do being known, people are unaware of your identity.

For most people,  anonymity  is desirable but not necessary. You need anonymity if you’re concerned about anyone seeing your data. But… how “much” security? Well, depending on your threat model, which includes your actions, the identity of your  possible  attacker, and other  factors . Online security, privacy, and anonymity are much safer when  combined  with personal security. While privacy is essential, not everyone requires personal security or anonymity.

As law enforcement and “big tech” corporations are the first to be interested in your data, protect yourself rather than depending on others. Avoid asking yourself if you have anything to conceal. Do you have anything that you would like to keep safe? Numerous instances of “harmless surveillance” that are defended have serious repercussions.

Think twice about this. Securing our digital presence is becoming more and more important as technology develops, which emphasizes the need for a strong commitment to account security across all digital platforms!

Telegram: Settings Checklist

The lightweight chat client Telegram is one of the most common methods of  communication in crypto , and there’s a good reason for that. This app is also frequently used for work and  communication , so it stands to reason that scammers and hackers would also look for victims there.

This article initially  written for immunefi.com  (my ex-job) by myself.

Let’s figure out how not to be a victim! Let’s get started!

Beware of  impersonators  (carefully check out Telegram bio as the scammer may insert any nickname to his bio and leave his own nickname blank), fake  notifications  about logging into Telegram ( check  out them carefully, they should come into the official  telegram  news & tips channel) with a phishing link, fake bots (yep, bots — not user accounts — may DM first)  and so on !

NONE of the telegram chats are E2E encrypted not 1:1, not groups — only TLS. Only the  secret chat  one iirc.

• Phone Number → Who can see my phone number — Nobody;

• Data and Storage → Auto Download Media → Toggle off;

• Phone Number → Who can find me by my number — My Contacts;

• Last Seen & Online → Who can see my timestamp — Nobody;

• Profile photo → Who can see my profile photo — My Contacts;

• Calls → Who can call me — My Contacts (or Nobody, if you prefer);

• Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners);

• When you start the call, you will see four emojis at the top right corner — ask the person you are calling to name them and compare them to yours (they should be the same as yours). This is protection from MitM;

• Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts;

• Never add contacts to Telegram (if there are any — erase them), and always use  VPN ;

• Groups & Channels → Who can add me — My Contacts;

• Set up a 2FA (cloud password);

• Set up a cloud  email  2FA!;

• More about 2FA  core.telegram.org/api/srp#email-verification  &  this ;

• Disable sticker loop animation! Animated Stickers = danger;

• Disable auto- downloading  (both wi-fi and cellular): Privacy & Security → Data Settings;

• Disable P2P calls for everyone as it may expose your  IP ! Same with secret chats! End-to-End encryption means thats your  IP  will become known the person you’re chatting with.  And vice versa ;

• Disable link & image previews in secret chats (scroll down in a Privacy and Security section;

• Disable autoplay GIFs !

• You can now buy Telegram Premium subscriptions (also —  numbers  &  usernames ) with TON:  fragment.com/premium ;

• Dutch Police Can Access Hidden Telegram Numbers — Use a burner number!

• Never activate (via /start) any  telegram  bot! Do not even touch telegram bots (only public chat bots are considered safe, you can operate them in a public chat via commands), never DM a Telegram bot! (any button can contain a SQLi vulnerability or even worse);

• If you have to open PDF (CV for example), use  dangerzone.rocks  or google drive preview regime (ask to upload);

• Watch out active session!  Terminate inactive sessions!  Watch out  session stealers ;

• If you receive a message about logging into your account — check that it is on a legitimate  telegram  notification & news channel. Scammers can impersonate this notification channel to force you to give them the OTR code from the SMS;

• Check out  Telegram FAQ ;

• To sign in to Telegram, use a different  phone number — or even a virtual phone number — rather than your actual mobile number. However, if you use a one-time number, someone else may  obtain  access to your account. To  conceal  your IP address, use a  VPN  (which Telegram can provide, for example, at the  request  of law enforcement officials);

• Check out this list  & follow  Telegram Tips ;

• It is necessary to have a separate secure device with an account-logged in application;

• It is necessary to regularly check the work of the application logged in to the account and the chat with service notifications. At least once every five days;

• The more devices logged into the account — the higher the risk of account compromise. Also, a logged-in device is a tool in ensuring the security of a  Telegram  account;

• This project describes Telegram limitations!  |  Link 2 ;

• More security tips by SamCZSun ;

• My old article written for Immunefi.

• Anyone can become a victim of mass-abusing. You should send a letter to  [email protected]  / contact support agent +42470 (add this phone to contacts);

• But also you  should  contact  support  which is located in your telegram settings — “Ask a Question”;

• Next, fill this form  telegram.org/support ;

• Automatically  detect changes made  to official Telegram sites, clients, etc.;

• If you’ve been  restricted , then visit  @SpamBot  a click it through;

• Join my TG channel .

Final Remarks

The need to keep our online accounts safe is constant as we make our way through the complexity of the digital world. Making a deliberate effort to strengthen your Telegram account is a proactive measure to preserve the integrity of secure communication, protect personal data, and protect your privacy.

If you want to support my work, please, consider donating me:

• 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A  or  officercia.eth  — ETH

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU  — BTC

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR

• More addresses:  github.com/OffcierCia/support .

To sum up, protecting your Telegram account is essential and involves a larger commitment to security, privacy, and good digital citizenship. We actively contribute to the development of a more secure and safe virtual environment that upholds integrity, privacy, and trust by strengthening our accounts.

Thank you! Stay Safe!