March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
The organization of pro-Russian hacker groups like Killnet in Telegram groups raises the question whether it's possible to obtain user data via Telegram. In this article, we present two proofs of concepts that can de-anonymize Telegram users.
The war in Ukraine has led to an increase in pro-Russian hacking attacks on Western agencies and companies. To counter these attacks, ProSec has developed the Live Attack Parser. This parser scans the attackers' Telegram groups to provide information about planned attacks. This offers companies the opportunity to better protect themselves against planned attacks.
When investigating the Telegram groups, we found that they are mainly organized via a number of Killnet subgroups, mostly led by group leaders. This led us to the following question: Is it possible to find out user data via Telegram in order to deanonymize the users responsible for cyberattacks?
All proof of concepts presented were developed in August 2022. As of the current date (January 2023), all PoC's are still functional.
Basically, the proofs of concepts exploit the problem that Telegram does not have a contact request function and thus makes it possible to get data such as the username in numerous ways based on the cell phone number. The poorly implemented handling of URIs and the personalized t.me links are used for this purpose. These allow other users to be contacted via the username or the phone number.
The prerequisite for this is that the target person/user has set the "Who can find me under my number" setting to "Everyone".
The setting "Who is allowed to see my number" is irrelevant here, since the number is resolved via the URI/API. Thus, it does not matter whether it can be displayed in the app, since you can correlate the request to the answer. However, when enumerating Telegram apps, it should be noted that they are sometimes very unstable and therefore often provide unreliable results. Therefore, the scan results should be validated several times to be able to make an accurate statement.
Additionally, it is possible to validate the found number via common groups or the added contact of the target person.
The procedures of user deanonymization via the web and desktop application are very similar, as they both use the URI to resolve the requested number.
The main difference is that the web app takes the URI as a URL encoded query and the desktop app is called directly using the tg:// URI.
Sobald man die Anfrage über einen Browser sendet, wird man jeweils auf die Web oder Desktop Applikation weitergeleitet. Falls die angeforderte Nummer existiert, wird der Chat geöffnet. Andernfalls erscheint der Hinweis „<number> Not Found“.
Since Telegram does not currently limit access to said URIs via desktop web apps, you can send as many requests as you like. This way, you can bruteforce numbers and then correlate them based on common groups or (if available) the username, for example.
In the case of enumeration via the web application, however, the number of requests sent is quite high and thus relatively conspicuous. Requests here could easily be detected and blocked by a web application firewall (WAF).
The enumeration via the desktop application does not have this problem, since you only send requests indirectly to the web infrastructure of Telegram. However, the response handling is much more complicated here, since you cannot work with HTTP responses. This also limits the speed significantly.
Telethon is a Python library that allows to interact indirectly with Telegram's API. It provides a set of functions to query user information.
This includes the "ImportContactsRequest", which allows users to be added to their own Telegram contacts via a phone number. Afterwards, it is possible to request a number of user data via the get_entity function - for example, username and profile picture.
The Telethon API offers two advantages. On the one hand, it is much easier to further process the resulting data sets. On the other hand, one receives a number of other useful information such as the language code of the requested user, if this is set.
However, this API interface is severely restricted: After a certain number of requests to the API, you are temporarily blocked. This makes effective enumeration of numbers currently almost impossible.
All of the presented proof of concepts are suitable for finding out Telegram user data. When deciding on one of the PoCs, it is relevant how many resources are available to resolve as many numbers as possible. It also matters how the numbers are generated. For example, it would be possible to bruteforce more effectively with special prefixes if there was information about where the target might be located.
The question remains how Telegram will deal with such features in the future to counter possible attacks on its users' privacy. This would of course have an impact on the functionality of the presented Proof Of Concepts.
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and