Stealing your Telegram account in 10 seconds flat

Say you handed me your phone, what’s the worst I could do in 10 seconds?

The other day I received an interesting message with a link to Telegram’s web client. Upon clicking on the link, I found myself already logged in. Curious, I logged out, sent myself a message with the same link, clicked, and was logged in once again. There wasn’t anything special about the link I had been sent, this is just Telegram’s default behavior.

I wanted to look into how this works. The first step was to figure out how the Telegram client was passing the session to the browser. As I clicked on the link, I noticed something flash on the URL bar for just a split second:

It seems like Telegram just opens up a URL with your account’s token appended to it. The token gets put in a hash fragment, and quickly disappears once the web client loads up and realizes there’s a token there. Although very convenient, this feature is pretty concerning because it can be used to quickly gain access to your account even if you use 2FA and a locked-down device (eg a non-rooted/jailbroken phone).

So where does this URL and its session come from? I searched tdesktop¹’s code for various keywords such as “web.telegram.org” and “tgWebAuthToken”, but oddly enough I didn’t get any hits. After staring at the code and not finding anything related to this feature for a while, I decided to build the app for real and attach a debugger to it.

A couple hours of compiling later, I had my very own build of tdesktop up and running. I set up a few breakpoints, clicked on some test links, and stepped through the code looking for the relevant bits. And eventually, I got here:

So that’s why I couldn’t find the keywords earlier! The list of domains this trick works with is sent to you by the Telegram server and stored in the config under the url_auth_domains² key. You can see the list of domains currently provided in the locals above.

Once you click on a link with a matching domain, your client will send it to Telegram’s servers and if everything looks alright you’ll get back a cute little temporary URL with the tokens and everything appended. For those playing along at home, we send a messages_requestUrlAuth with just the url set³, and hope to get back a urlAuthResultAccepted with the new url inside.

Having figured out how the thing works, and armed with a list of domains, I began looking for a way to break it. It seems like the entire initial URL gets preserved, including the path, query parameters, and the hash fragment, with the exception of the scheme being forced to https.

For example:

• http://web.​telegram.org/ becomes https://web.​telegram.org/​#tgWebAuthToken=...
• https://z.t.me/​pony becomes https://z.t.me/pony​?tgWebAuth=1​#tgWebAuthToken=...
• https://k.t.me/​#po=ny becomes https://k.t.me/​?tgWebAuth=1​#po=ny​&tgWebAuthToken=...

All of the domains apart from the web.telegram.org one are sort-of built for the t.me deep links. Going on any of them without a path will just bring you to the telegram.org homepage. Going on one with a compatible path, such as z.t.me/share?url=lyra.horse, will open up the respective client with a hash fragment, eg:
https://web.telegram.org/a/#?​tgaddr=​tg%3A%2F%2Fmsg_url%3F​url%3Dlyra.horse

This is usually performed with a HTTP 301 redirect, but if the tgWebAuth parameter is set and the deep link is valid, you’ll get to run this fun javascript instead:

I was a bit puzzled at first, but eventually realized that this is all just a simple hack to deal with URL hash fragments. The hash fragment part of the URL never gets sent to the server, so the server cannot know where to redirect you if it also wants to add its own hash fragment. In this specific case, we have #tgWebAuthToken=... in the URL already, and we want to combine it with #?tgaddr=... as we redirect to the web client (so in the end we get #?tgaddr=...&tgWeb​AuthToken=...).

For the rest of the night I played around with Telegram’s various web clients. A little-known fact is that the legacy Telegram web client can still be accessed to this day by going to web.telegram.org/?legacy=1. What’s more, the session is shared between the web clients, so an exploit in the old web client might still be useful even if the target uses a modern web client.

I couldn’t find anything too interesting in WebK, but both WebZ and the legacy client provided some promising leads in messing with the tgaddr in the URL. It ended up being a dead end for my research though, as I couldn’t figure out a way to get rid of or bypass the ampersand in the &tgWebAuthToken=... part of the URL. I even messed around with unicode to see if that’d somehow let me “erase” the ampersand, but it seems like UTF-8 has been designed to withstand this.

I then looked into the mobile apps. Both the iOS and Android clients support the link authentication thing, which makes the whole situation a tad more worrying considering it’s generally a lot harder to just copy a session token off a mobile device. On Android I messed around with intents, but ended up at another dead end as intents for web links have been locked down since Android 12 and require domain verification to work. I also messed around with protocol intents, but the way the app has been written prevents the token from being appended in those cases.

So, no exploit?

In my research I was unable to come up with a successful remote exploit. I won’t be getting a bug bounty, but that doesn’t mean it was all in vain. Combining all the research so far, and adding a little cherry on top, we can create a scenario where we can steal someone’s Telegram session in just a few seconds of physical access to their device, no matter if it’s their computer, phone, or tablet.

We start off by sending “z.t.me” in their Telegram app and tapping on the link. This will redirect their browser to telegram.org/​#tgWebAuthToken=.... From here we edit the domain in the browser to telegramz.org - a domain I own - and hit/tap enter. The javascript on my domain will take it from here, logging one of my own devices in with the token.

Here’s a demo of me pulling off the entire attack in less than 10 seconds on an Android phone and a laptop:

Note: YouTube has removed my video for a community guidelines violation. Educational content like this is allowed, but I believe their review team confused my video with a hacking tutorial (probably due to livesplit splits looking too much like a step-by-step instruction). They’ve also refused my appeal. You can watch a plain mp4, a Vimeo upload, or this twitter post instead.

This attack is incredibly easy to pull off even for a low-skill attacker. Assuming some higher forces have already set up a custom domain for you, all you need to know is how to tap on a link and add a letter onto the URL bar. You don’t need any specialized tools, you don’t need to know anything about the target, you don’t even need a phone.

So what should Telegram do about this?

The same thing they did with the QR code logins! If you attempt to log onto a new device by scanning a login QR code, you’ll still have to enter your 2FA password - and I think the same mitigation could be implemented for these instant login web client URLs.

Discuss this post on: twitter, mastodon, hackernews, cohost

thank you for reading my first blog post!!

i decided to take on the challenge of using no images on the page, and no javascript either. i don’t think this’ll be a sustainable way of doing things going forward, but it does mean you get fast load times (everything here is ~20kB gzipped!), pretty vector graphics on hidpi screens (try zooming in!), and responsive “screenshots” for mobile devices (try resizing the window and see how neatly things change to accommodate!). also if you’re someone using assistive technologies, please let me know how this post felt to read and if there’s anything to be improved or done differently in the future.

note: the graphics in this blog post are not fully compatible with netscape navigator, please switch to a modern alternative such as ladybird