[aasasd]

Telegram already authenticates by the phone number, which setup was successfully used by Russian forces to hijack accounts of opposition.

Amazing how people are completely blind to this gaping misfeature despite infosec experts complaining about it the entire time.

[wyldfire]

> Telegram already authenticates by the phone number, which setup was successfully used by Russian forces to hijack accounts of opposition.

While this is bad, IIRC if it has PFS this means that the phone number rerouting cannot be used to recover messages sent before this intercept. And also IIRC this phone number could only be used to trigger re-keying, which is detectable.

[aasasd]

> IIRC this phone number could only be used to trigger re-keying, which is detectable

Dunno about currently, but afaik at the time this went down nothing was detectable, you just log into a user's account and read the history since e2e conversations aren't the default.

> The default method of authentication that Telegram uses for logins is SMS-based single-factor authentication. All that is needed in order to log into an account and gain access to that user's cloud-based messages is a one-time passcode that is sent via SMS to the user's phone number. These login SMS messages are known to have been intercepted in Iran, Russia and Germany, possibly in coordination with phone companies.