March 14, 2024
Leadership vs. Management, what exactly are the differences? And what is needed in both areas to meet the current challenges?
The organization of pro-Russian hacker groups like Killnet in Telegram groups raises the question of whether it is possible to find out user data via Telegram. In this article, we present two proofs of concepts that can be used to de-anonymize Telegram users.
The war in Ukraine has led to an increase in pro-Russian hacking attacks on western authorities and companies. To counteract these attacks, ProSec has the Live attack parser developed. This parser scans the attackers' Telegram groups and thus provides information about planned attacks. This offers companies the opportunity to better protect themselves against planned attacks.
Investigating Telegram groups found that they are primarily organized through a number of sub-groups of Killnet, mostly led by group leaders. This resulted in the following question for us: Is it possible to find out user data via Telegram in order to deanonymize the users responsible for cyber attacks?
All presented proofs of concepts were developed in August 2022. At the current time (January 2023) all PoC's are still functional.
Basically, the proof of concepts exploit the problem that Telegram has no contact request function and thus makes it possible to get data such as the user name in a number of ways using the cell phone number. The poorly implemented handling of URIs and the personalized t.me links are used for this. These allow other users to be contacted via their username or telephone number.
The prerequisite for this is that the target person/user has set the setting "Who can find me under my number" to "Everyone".
The setting "Who can see my number" is irrelevant here, since the number is resolved via the URI/API. So it doesn't matter whether it can be displayed in the app, since you can correlate the request to the answer. When enumerating the Telegram applications, however, it should be noted that some of these are very unstable and therefore often deliver unreliable results. Therefore, the scan results should be validated several times in order to be able to make an accurate statement.
In addition, it is possible to validate the number found via shared groups or the added contact of the target person.
The procedures for user deanonymization via the web and desktop application are very similar as they both use the URI to resolve the requested number.
The main difference is that the web app receives the URI as a URL encoded query and the desktop app is called directly via the tg:// URI.
As soon as you send the request via a browser, you will be forwarded to the web or desktop application. If the requested number exists, the chat will open. Otherwise the message " Not Found".
Since Telegram currently does not limit access to said URI's via desktop web apps, you can send any number of requests. You can brute force numbers and then correlate them based on common groups or (if available) the username.
In the case of enumeration via the web application, however, the number of requests sent is quite high and therefore relatively noticeable. Requests could easily be recognized and blocked by a web application firewall (WAF).
With enumeration via the desktop application, you don't have this problem, since you only send indirect requests to Telegram's web infrastructure. However, the response handling is much more cumbersome here, since you cannot work with HTTP responses. This also significantly limits the speed.
Telethon is a Python library that allows interacting indirectly with Telegram's API. It provides a range of functions to query user information.
This includes the "ImportContactsRequest", which allows users to add a telephone number to their own Telegram contacts. It is then possible to request a range of user data via the get_entity function - for example username and profile picture.
The Telethon API offers two advantages. On the one hand, it is much easier to further process the resulting data sets. On the other hand, you get a range of other useful information such as the language code of the requested user, if this is set.
However, this API interface is severely restricted: After a certain number of requests to the API, you will be temporarily blocked. This currently makes the effective enumeration of numbers almost impossible.
All presented proofs of concepts are suitable for finding out Telegram user data. When deciding on one of the PoC, it is relevant how many resources are available to resolve as many numbers as possible. It also plays a role in how the numbers are generated. For example, it would be possible to bruteforce more effectively with special prefixes if there was information about where the target might be.
The question remains how Telegram will deal with such functions in the future to counter possible attacks on the privacy of its users. This would of course affect the functionality of the presented Proof Of Concepts.
Leadership vs. Management, what exactly are the differences? And what is needed in both areas to meet the current challenges?
Should standard users in your tenant be allowed to complete an Azure App Registration? The answer is clearly “no” and this article
The bad news first: In Germany there is no central nationwide emergency number for hacked companies or authorities. That's why it is
