Instant messaging service Telegram has rolled out a fix over the weekend to prevent hackers from abusing voicemail accounts to gain access to other users' accounts.
The trick, known as a "voicemail hack" or "voicemail hijack," has been used in the past few months to gain access to over 1,000 Telegram accounts in Brazil, including ones belonging to local politicians.
Some of the most high-profile victims of recent attacks include Brazil's President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes.
How the voicemail hack works
The "voicemail hack" revolves around the process of adding a Telegram account to a new device. For this operation, a user can request that a one-time passcode be sent via a voice message call to the account owner's phone number.
If the account owner failed to answer the call for three consecutive times, or if the user was busy with another call, the one-time passcode would be sent to the user's voicemail account, provided by the user's mobile telco.
Hackers would then use VoIP services to spoof the victim's phone number, access the voicemail account, use a default password of 0000 or 1234 (which most users don't change), and retrieve the one-time passcode. With the one-time passcode, hackers would then add another user's Telegram account to their own device.
While some crooks used this trick to hijack legitimate accounts to send spam, some hackers used it to gain access to the message history of famous Brazilian politicians.
Telegram rolls out a fix over the weekend
But starting this weekend, Telegram has rolled out a fix to prevent the attack from working.
"As of recently, it is only possible to request a code via call if your account is protected with two-step verification," a Telegram spokesperson told ZDNet.
The fix has been rolled out for all Telegram users, and not just those in Brazil, Telegram confirmed.
This very same "voicemail hack" didn't only work against Telegram. The hack has been known since 2017 and was initially discovered and abused to hijack WhatsApp accounts. Since then, security researchers proved the trick could also be used to hijack accounts at many other services, such as Facebook, Google, Twitter, WordPress, eBay, or PayPal.
Related cybersecurity coverage:
- US company selling weaponized BlueKeep exploit
- Google researchers disclose vulnerabilities for 'interactionless' iOS attacks
- No More Ransom project has prevented ransomware profits of at least $108 million
- Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks
- DMARC's abysmal adoption explains why email spoofing is still a thing
- NSA to establish a defense-minded division named the Cybersecurity Directorate
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET