Telegram Fixes Vulnerability Used to Hack Brazilian Politicians’ Accounts

By Ava McKinneyOnline Safety

Telegram Fixes Vulnerability Used in Attacks on Brazilian Politicians

Last week, Brazilian law enforcement arrested four suspects accused of hacking 1,000 Telegram accounts. Among the victims were high-ranking government officials, including President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes. Other politicians, such as Congresswoman Joice Hasselmann, also reported being targeted.

How the Telegram Accounts Were Hacked

The hacking technique was detailed in a court document related to the arrest of the four hackers. This method was first described in 2017 by researcher Ran Bar-Zik.

The core of the method is that most messaging apps allow users to receive one-time access codes via SMS or voice messages. Users who have voicemail enabled are at risk if they haven’t changed their default voicemail password, which is often “0000” or “1234.”

Bar-Zik discovered that if a phone line is busy or if the user doesn’t answer three consecutive calls, the one-time confirmation code is eventually sent to the user’s voicemail. If the victim hasn’t changed the default password, it’s easy for attackers to retrieve the code from voicemail.

According to Brazilian authorities, the four hackers installed Telegram on their devices but entered the phone numbers of well-known politicians instead of their own. They then requested authentication via voice message and simultaneously called the targets’ phones to ensure the one-time code would be sent to voicemail. The suspects then spoofed the targets’ phone numbers using VoIP, accessed the voicemail with the default password, retrieved the one-time code, and linked the victim’s Telegram account to their own device—gaining full access to the account and its message history.

Telegram’s Response and Security Update

The high-profile hacks did not go unnoticed by Telegram’s developers. According to ZDNet, the messenger received an update over the weekend designed to prevent similar attacks in the future.

Developers explained that now, a phone call confirmation code can only be requested if the user’s account is protected by two-step verification. This fix is available not just to Brazilian users, but to all Telegram users worldwide.

Voicemail Vulnerabilities Affect Many Services

It’s important to note that compromising accounts via voicemail is not unique to Telegram. This type of attack was first demonstrated with WhatsApp and later shown to work with Facebook, Google, Twitter, WordPress, eBay, PayPal, and many other services. Since most of these companies have not implemented additional security measures, users are strongly advised to change their default voicemail password.

Leave a Reply