[piadodjanho]

In case someone is wondering how they hacked Telegram.

They used caller id spoofing and a telco vulnerability.

1. Change your phone ID and try to login on Telegram;

2. Telegram will send an SMS with an authentication number followed by a phone call to the actual mobile phone;

3. To avoid the message going through, spams the victim with many VoIP calls;

4. The Telegram call will be recorded on the missed call voice messages;

In Brazil, you can listen to the recorded messages calling your own number. Surprisingly, the telco only checks if the calling number was equal to the called number.

5. Again, with the call id spoofing, call your own number.

6. Now you have access to the victim's Telegram (past conversations and contact list)

7. ???

8. Profit.

EDIT: I translated part of the transcription used to accuse GG in another thread.

[jaifraic]

I'm surprised that 2FA wasn't activated.

[piadodjanho]

I should made it clearer that Gleen Greenwald that was not hacked.

I described the procedure the hackers used to access the politicians conversations. Not GG's.

In one interview, Gleen Greenwald said the computer with the copy of the data isn't connect to the internet. Many news organization worked with the same offline computer at his office. According to him, he did that to avoid leaking personal information.

Yet, he published conversation of others journalists with theirs sources. Violating the secrecy of the source (protect by law). I should note that this other site editorial line is the opposite of GG's.

GG suggested the hackers to delete all the files. They didn't. That's how the police manage to get the messages of GG talking with the hackers.

[elicash]

Isn't it possible he used it but the person he was speaking with didn't?

At least from a U.S. perspective, it seems more likely that law enforcement would try to get a court order to get into the hacker's conversations than a journalist's.

[piadodjanho]

The supreme court judges already stated that Gleen Greenwald cannot be investigated because the reporting. The police got this conversation from a backup kept by the hackers. There is no chance this accusation will be accept by a judge, it goes against the constitution.

Some people speculate the prosecutor was looking for exposure and might run for some position in the next election.

[ta999999171]

I'm not...Greenwald, while an incredibly brave journalist, and friend of consumer tech rights, struggled to use PGP keys with Snowden...

[AshwinDurairaj]

Does anyone know if Telegram will ever move away from relying on phone numbers for authentication?

[danillonunes]

Telegram rolled a fix right after the hijack trick was publicly known. Now, you can receive a verification code as a telephone call only if you have 2FA enabled in your Telegram account.