CVE-2019-15514

Type: Information Disclosure

Affected Users, Versions, Devices: All Telegram Users

Still not fixed/unpatched. brute.py is available exploit written under python.

Description

Suppose ali is hacktivist. His telegram user ID is 21788973 and mobile number is hidden. He lives in pakistan (+92). We can add any user to contact by phone number. We will add phones numbers from range +92-0000000000 to +92-9999999999. So if any number successfully added and that user ID is 21788973, that's mean ali number is successfully exposed !

Note: All above information supplied is hypothetical.

Remember, current example range was 9 digits long. We can reduce it more by social engineerring, sim code knowledge, password resets (specially gmail,paypal)... The more low range, the more less time will it take.

Background

This bug been exploited in wild from long. This appreciated us to investigate and open source its exploit for making telegram to patch it soon.

Proof Of Concept

Generate wordlist:

Suppose, we have an telegram victim that number starts with 92313, ends with 89 and in between there are 5 unknown digits We will generate all comibnations of number list within range 92313-xxxxx-89.

Use num_gen.py. It will write numbers to 92313xxxxx89.txt. Before, must edit following:

• prefix: a number should starts with. Here example, its 92313
• middle_range: total digits of unknown middle range. Here example, its 5
• suffix: a number should ends with. Here example, its 89

Brute force:

• *phone: insert your phone number including country code, without including spaces or +(plus)

• *api_id: create app and insert api id. learn more

• *api_hash: create app and api hash. learn more

• *numlist : the path to your numbers list or wordlist

• *username_or_id: insert numeric id or username without @ of victim. Better use kotatogram as it supports showing user id in profile.

• use_proxy: Enable or Disable proxy

• proxy_server: domain or ip of proxy DNS

• proxy_secret: hex encoded secret of proxy that serves as password

• proxy_port: numeric port, mostly 443

• should_resume: resume capability. whether to start from where numbers left ?

• threads: # numbers to be tried on each try, don't increase else won't work

• delay: delay in seconds on each try to lower telegram block time interval

Features:

1. multi-threaded i.e checks 19 numbers at time
2. resume capability
3. waits when blocked, time it waits equals to time telegram blocks
4. accurate results

Credits:

• Telethon for providing easy library,Telethon community for help about api usage
• swagkarna for inspiration

I Love ALLAH + Holy Prophet + Islam and Pakistan.