Phishing “features” Telegram

Telegram tries to be safe, but as it is written in their BugBounty program, social engineering is beyond scope. On this I absolutely agree with them. But they believe that this also includes all unsafely implemented functions that can only be used for social engineering. On this point I don’t agree with them. In this article I will tell you about two “features” that the messenger does not intend to fix, but which can be easily used for social engineering, especially in combination.

Link, where?

Formatting in Telegram allows you to add links, but does not properly control the transitions to them if the transition is carried out within the messenger. Look here.

Are you sure you want to go there?

Are you sure you want to go there?

When you go to an external resource, a notification appears with the full target link, which allows you to avoid using formatting for phishing.

But what happens if we want to go internal link (https://t.me/)? Nothing. If you follow an internal link, no notifications about the link being followed will occur.

Here's an example. Visual design @OSINT_bot may contain a link to another bot/chat, added there by a link through normal formatting, for example http://t.me/OSINT_HACKED_bot. And visually both of these links will look the same! (Fig.2). The substitution can only be noticed if you hold the cursor over the link or copy it.

Find 10 differences.

Find 10 differences.

Example. Text @OSINT_bot may contain a link to another bot/chat, a link added there through normal formatting, for example to http://t.me/OSINT_HACKED_bot.

And visually both of these links look the same! Although they lead to completely different bots. If you style them to match each other, then easy phishing is guaranteed. The substitution can only be noticed if you hold the cursor over the link or copy it.

Simple repetition:

  1. We write a message with the contact/chat/bot tag (@OSINT_bot)

  2. Click formatting => Add link => Add a phishing link (@OSINT_hacked_bot)

  3. We delete the loaded preview.

  4. We send a link to the victim.

  5. ???

  6. PROFIT!

There are a lot of opportunities for use in phishing; by sending victims familiar tags, we can redirect them to other dialogues, bots or chats. But best of all, this “feature” reveals itself in conjunction with the next one.

What else did you convey?!

Many resources, for example TGStat (https://tgstat.ru/), use an authorization scheme through Telegram. For authorization, a unique parameter is passed to your own bot from a link on the site. It works like this:

  1. The user visits the site and clicks the “login” button.

  2. The site gives the user a link to its bot with a unique key in the start parameter, for example https://t.me/tg_analytics_bot?start=wjIKCRulVabiy5z-VnYRd10NGblZaVru

  3. The bot expects this unique parameter, after which the site authorizes the user under the Telegram account from which the key was received.

Successful login

Successful login

However, when clicking on the link, the parameter is not displayed in the Telegram client. Only the bot launch button is displayed, after pressing which no parameter is visible in the communication log with the bot. And he is.

This is an internal “feature” of Telegram to hide the transmitted parameters when switching to any bot, which the service developers adapted for themselves. But not particularly safe.

We hijack the TGstat account.

The combination with the previous “feature” of masking internal links allows us to hijack a service account extremely effectively.

For this:

  1. We go to the service website and receive a unique authorization key for our browser. But we don’t follow the link.

  2. Under any pretext, we send the victim a link to the original TGstat bot (@tg_analytics_bot), but with the addition of our key parameter through formatting (https://t.me/tg_analytics_bot?start=wjIKCRulVabiy5z-VnYRd10NGblZaVru).

  3. The victim clicks on the bot's name and follows a hidden link with a parameter.

  4. The victim is shown only the standard /start button.

  5. After clicking the button, we receive the victim’s session on the service in the browser.

  6. ???

  7. PROFIT!

Moreover, nothing strange happens for the victim, because she turns into a real service bot, with a history of interaction with it. A standard login message is displayed.

Offtopic. Moreover, you cannot view the list of active sessions on the site or in the bot, nor can you terminate them. That is, we will remain in the account unnoticed and forever, but these problems are already on the conscience of the creators of the service, not Telegram.

Reliable de-anonymization

Also, thanks to the combination of these two “features”, we can create a decoy bot disguised as popular bots by hiding the internal link. A hidden unique parameter will make it easy to track the transition to our trap from a specific source. When you go to the bot, we will receive public account information and user ID.

Such a link can be placed in the “offer” of telegram channels to de-anonymize administrator accounts.

conclusions

To prevent these “features” from being used in phishing, I suggested the following to Telegram:

  • Enable a hidden link notification mechanism not only for external links, but also for internal links if the link was added through formatting.

  • Display the parameters passed when accessing the bot by default, and not just the bot launch button.

But Telegram, unfortunately, does not intend to do anything about this, as their security service informed me about as part of a report submitted to BugBounty. This is really beyond the scope of the program, but I would like a simple fix.

Perhaps the very presence of the word “social engineering” in the report is already a reason for rejection =)

Be careful and check the links!

Social engineering in reporting? Auto-reject.

Social engineering in reporting? Auto-reject.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *