How Scammers Are Exploiting Telegram's Security Flaws

Telegram’s reliance on app-only codes and lack of account recovery options has made it difficult for victims to regain control.

Don’t wait, turn on your Telegram’s two-factor authentication today. Go to Telegram’s Settings > Privacy & Security > Two-step Verification. I’ll wait, don’t do anything until you get it done. Now, let’s continue.

It was 7am on April 2nd, 2023, and I was about to continue sleeping for a few more hours after Sahur, something that I always do during Ramadan. This gives me much-needed sleep because I tend to have difficulty sleeping at night but always find myself waking up early most of the time.

Then, I received a Telegram chat from my colleague, which was unexpected and could only mean two things: either it’s an emergency or by accident. I kept chatting, and exactly after the third message, I knew his Telegram account had been compromised, and it was a scam attempt. I verified this by asking for an account number, which indeed belonged to another mule who let their account be used as a proxy.

What A Good Way To Make A Living

I called him right away, and we set up a meeting in 30 minutes, which was already a long time if you have been compromised. By the time we met, he no longer had access to his Telegram account.

Almost all messaging apps work in a similar way; you sign in by your number, and then you receive a code to authenticate. In this case, Telegram has a favor of sending the code through the app itself instead of SMS and this turned out to be the biggest flaw for a messaging app that claimed to focus on security.

Hey, we see that your account is logged in, so we only send the code through the app, okay? :)

When we finally met, I tried to get his account back through Telegram web and apps, but both failed with a message that there were too many login attempts. The waiting period was 24 hours, which meant whoever had gained access officially owned the account for life with no way to recover it due to Telegram’s nature of favoring code delivery via the app.

Isn’t it lovely?

Since we had no other option, I tried to reach Telegram directly via email and chat (@notoscam). For the past 72 hours, I received no replies, and my chat hasn’t been read at all. Good job, Telegram. You just built the best app for scammers to take advantage of.

You can email us, but we won’t reply.

Stop right here; there’s no point in googling how to delete a Telegram account. Pretty much all available options on our end, I’ve done it. I’m pretty much exhausted, and if we could pay to get it deleted for good, we would. This is now an active account still attempting to scam people without any way to stop the person.

In this case, my colleague got lucky; nobody in his Telegram contacts fell into the trap. They all kept calling him to verify if he needed the money, and pretty much he had already broadcasted everywhere else that his Telegram account had been compromised. I advised him to make a police report because his number was being used for a crime that he did not commit and had zero power to stop it.”

So how did it happen?

There are a lot of ways to obtain the login code, but I’ll focus solely on this case. His Telegram login code was obtained through a compromised account in his contacts, with scammers already standing by to complete the login process.

Sure, send the screenshot.

Once they got in, they would wait until they could terminate all other sessions before performing the same login again until they got the account locked out for too many login attempts.

Now that they have the account, all they need to do is repeat the same process again by pretending to be a legitimate contact and asking for Telegram’s home screen. If a stranger asks for a screenshot, most people will be less likely to give in. If it’s coming from somebody they know, there is a slight chance they will give in - just like my colleague in this case, whose contact on Telegram asked him for that screenshot.

They will then chat with whoever is in the contacts, asking to borrow some money, and if they fail, they will attempt to get the login code because they now have the phone number. Great for them, not so much for us.

When smart people make stupid decisions

Sure, if he hadn’t given the screenshot, all of this wouldn’t have happened. If he had noticed that there was a foreign device logged in and acted accordingly by terminating the session, this wouldn’t have happened. If he had turned on the two-step verification, this wouldn’t have happened. I was already dozing off during my sleep that Sunday morning.

Except, There is only so much we can blame the user, especially for those who are less tech-savvy. Why did Telegram make it so difficult to recover the account after the attack? Why did Telegram think it was a good idea to have the code only sent through the app just because a device was logged in? Why, in order to delete the account, is the code still only delivered through the app? Why isn’t @notoscam responding? Why isn’t Telegram responding to the emails? It only takes one of these steps to stop that compromised account for good. If only Telegram allowed the code to be sent via SMS. That’s all it would take.

Whoever at Telegram decided to ship this, you deserve a punch in the balls.

To be honest, I’m disappointed because I had been speaking highly of Telegram for years. Now that I have discovered its flaws, I don’t think it’s as secure as it claims to be. What’s the point of having the best encryption when you can’t even access your own account?

Posted April 6, 2023