Unveiling Messenger Weaknesses: Understanding How Hackers Can Infiltrate and Compromise Your Device

Officer's Notes


Big thanks to my TG channel follower for bringing up this crucial subject, researchers have recently observed a marked rise in account hijackings, particularly with Telegram. It is important to mention that phishing and social engineering are often used in tandem in the majority of cases.

However, I want to talk about instances today where accounts are compromised due to messenger vulnerabilities rather than phishing attacks (which, thankfully, are usually quickly fixed):

  • 1) CVE-2022–36934 (critical vulnerability in WhatsApp) — allowed to execute RCE via buffer overflow while performing a video call;
  • 2) CVE-2022–27492 (vulnerability in WhatsApp) — allowed to execute RCE by sending a pre-created video file;
  • 3) In 2017, there were many news pieces about the possibility of hijacking Telegram and WhatsApp account by sending (just) an image file. And you didn’t necessarily need to download it to your phone to get infected with a malware. However, I have not found any confirmation of this CVE so far.

What conclusions can be drawn here? Aside from 2FA, mail binding, and other features, the best thing to do in messengers is turn off file auto-downloading.

To disable auto-downloading on Telegram, go to “Privacy & Security → Data Settings”. This applies to both wifi and cellular connections. You never know what will be sent to you, and what 0-day was released just yesterday, so always remember that forewarned is forearmed, and take all necessary security precautions ahead of time before it is too late.

Naturally, you should always keep in mind that unless you learn to be a little more cautious about what and where you enter, send, and open, no antivirus software or two-factor authentication will be of any use!

Private or Anonymous?

In today’s interconnected digital landscape, the importance of securing our online accounts cannot be overstated. As individuals increasingly rely on instant messaging platforms for communication, the necessity to protect our privacy and personal information has become paramount. Particularly, when it comes to Telegram — an app renowned for its privacy features and encryption — it is essential to understand the criticality of securing our accounts in order to fortify our digital presence against potential threats from malicious actors.

Telegram’s extensive user base and emphasis on privacy have made it an appealing choice for individuals and organizations seeking a secure means of communication. However, while Telegram offers robust security features, it is imperative for users to take proactive measures to safeguard their accounts and protect their sensitive information.

In essence, the need to secure your Telegram account transcends individual benefit — it extends to fostering a more secure and privacy-conscious digital community. By prioritizing account security and implementing robust measures to fortify your presence on the platform, you not only safeguard your own privacy and information but also contribute to elevating the overall security posture of the Telegram network.

Speaking seriously, human freedom is predicated on privacy; without it, decisions can be easily swayed by everything from criminal prosecutions to public censure to coercive measures. I feel that there should be no exceptions to the rule that privacy must be protected. Your data belongs to you and only to you, not to any third parties like corporations, hackers, or special services.

With all said, it is imperative to differentiate between anonymity and privacy. Privacy means that people can clearly tell who you are, but they don’t know what you would do. Being anonymous suggests that, despite what you do being known, people are unaware of your identity.

For most people, anonymity is desirable but not necessary. You need anonymity if you’re concerned about anyone seeing your data. But… how “much” security? Well, depending on your threat model, which includes your actions, the identity of your possible attacker, and other factors. Online security, privacy, and anonymity are much safer when combined with personal security. While privacy is essential, not everyone requires personal security or anonymity.

As law enforcement and “big tech” corporations are the first to be interested in your data, protect yourself rather than depending on others. Avoid asking yourself if you have anything to conceal. Do you have anything that you would like to keep safe? Numerous instances of “harmless surveillance” that are defended have serious repercussions.

Think twice about this. Securing our digital presence is becoming more and more important as technology develops, which emphasizes the need for a strong commitment to account security across all digital platforms!

Telegram: Settings Checklist

The lightweight chat client Telegram is one of the most common methods of communication in crypto, and there’s a good reason for that. This app is also frequently used for work and communication, so it stands to reason that scammers and hackers would also look for victims there.

This article initially written for immunefi.com (my ex-job) by myself.

Let’s figure out how not to be a victim! Let’s get started!

Beware of impersonators (carefully check out Telegram bio as the scammer may insert any nickname to his bio and leave his own nickname blank), fake notifications about logging into Telegram (check out them carefully, they should come into the official telegram news & tips channel) with a phishing link, fake bots (yep, bots — not user accounts — may DM first) and so on!

NONE of the telegram chats are E2E encrypted not 1:1, not groups — only TLS. Only the secret chat one iirc.

Settings Checklist:

  • Phone Number → Who can see my phone number — Nobody;
  • Data and Storage → Auto Download Media → Toggle off;
  • Phone Number → Who can find me by my number — My Contacts;
  • Last Seen & Online → Who can see my timestamp — Nobody;
  • Profile photo → Who can see my profile photo — My Contacts;
  • Calls → Who can call me — My Contacts (or Nobody, if you prefer);
  • Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners);
  • When you start the call, you will see four emojis at the top right corner — ask the person you are calling to name them and compare them to yours (they should be the same as yours). This is protection from MitM;
  • Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts;
  • Never add contacts to Telegram (if there are any — erase them), and always use VPN;
  • Groups & Channels → Who can add me — My Contacts;
  • Set up a 2FA (cloud password);
  • Set up a cloud email 2FA!;
  • More about 2FA core.telegram.org/api/srp#email-verification & this;
  • Disable sticker loop animation! Animated Stickers = danger;
  • Disable auto-downloading (both wi-fi and cellular): Privacy & Security → Data Settings;
  • Disable P2P calls for everyone as it may expose your IP! Same with secret chats! End-to-End encryption means thats your IP will become known the person you’re chatting with. And vice versa;
  • Disable link & image previews in secret chats (scroll down in a Privacy and Security section;
  • Disable autoplay GIFs!
  • You can now buy Telegram Premium subscriptions (also — numbers & usernames) with TON: fragment.com/premium;
  • Dutch Police Can Access Hidden Telegram Numbers — Use a burner number!
  • Never activate (via /start) any telegram bot! Do not even touch telegram bots (only public chat bots are considered safe, you can operate them in a public chat via commands), never DM a Telegram bot! (any button can contain a SQLi vulnerability or even worse);
  • If you have to open PDF (CV for example), use dangerzone.rocks or google drive preview regime (ask to upload);
  • Watch out active session! Terminate inactive sessions! Watch out session stealers;
  • If you receive a message about logging into your account — check that it is on a legitimate telegram notification & news channel. Scammers can impersonate this notification channel to force you to give them the OTR code from the SMS;
  • Check out Telegram FAQ;
  • To sign in to Telegram, use a different phone number — or even a virtual phone number — rather than your actual mobile number. However, if you use a one-time number, someone else may obtain access to your account. To conceal your IP address, use a VPN (which Telegram can provide, for example, at the request of law enforcement officials);
  • Check out this list & follow Telegram Tips;
  • It is necessary to have a separate secure device with an account-logged in application;
  • It is necessary to regularly check the work of the application logged in to the account and the chat with service notifications. At least once every five days;
  • The more devices logged into the account — the higher the risk of account compromise. Also, a logged-in device is a tool in ensuring the security of a Telegram account;
  • This project describes Telegram limitations! | Link 2;
  • More security tips by SamCZSun;
  • My old article written for Immunefi.

It appears that I’ve been banned… So, what should I do?

Final Remarks

The need to keep our online accounts safe is constant as we make our way through the complexity of the digital world. Making a deliberate effort to strengthen your Telegram account is a proactive measure to preserve the integrity of secure communication, protect personal data, and protect your privacy.

To sum up, protecting your Telegram account is essential and involves a larger commitment to security, privacy, and good digital citizenship. We actively contribute to the development of a more secure and safe virtual environment that upholds integrity, privacy, and trust by strengthening our accounts.

Stay Safe!



Officer's Notes

Threat Researcher | Web3 / OSINT / OpSec / Privacy