I want to highlight a Telegram account recovery design issue that can result
in permanent account takeover after phishing.
If an attacker obtains an active Telegram Web/Desktop session (e.g. via social
engineering), the legitimate phone number owner may be unable to reclaim the
account even after regaining access and enabling two-step verification (2FA).
The core problem is that critical security actions (session termination,
account deletion, confirmation of changes) are confirmed inside Telegram itself,
not via an out-of-band channel such as SMS.
As a result:
- the attacker’s older active session remains authoritative
- the legitimate user’s new sessions can be immediately terminated
- enabling 2FA does not invalidate existing sessions
- even account deletion may be impossible if confirmation codes are delivered
only to the attacker-controlled session
This creates a permanent lockout scenario where:
phone number ownership + in-Telegram verification + newly enabled 2FA
are insufficient to recover the account.
This is not about phishing being a bug.
The issue is the lack of a recovery mechanism that prioritizes verified phone
number ownership over existing sessions.
- All new sessions are terminated within couple of minutes by hijacked one.
- You can't terminate the hijacked session with a new session. New sessions have to wait 24 hours to gain this authority (which of course never happens).
- Each time new session gets terminated, you can't login into Telegram for 24 hours.
- The only way to recover your ownership is to delete your account within 2 minute of getting new session working.
Yeah, I have some bad news about that huge bug bounty you're expecting... ChatGPT was wrong, and there is no way to close the HackerNews account you just created, so all the abuse that deservedly comes your way will, in fact, be on your permanent record.
I want to highlight a Telegram account recovery design issue that can result in permanent account takeover after phishing.
If an attacker obtains an active Telegram Web/Desktop session (e.g. via social engineering), the legitimate phone number owner may be unable to reclaim the account even after regaining access and enabling two-step verification (2FA).
The core problem is that critical security actions (session termination, account deletion, confirmation of changes) are confirmed inside Telegram itself, not via an out-of-band channel such as SMS.
As a result: - the attacker’s older active session remains authoritative - the legitimate user’s new sessions can be immediately terminated - enabling 2FA does not invalidate existing sessions - even account deletion may be impossible if confirmation codes are delivered only to the attacker-controlled session
This creates a permanent lockout scenario where: phone number ownership + in-Telegram verification + newly enabled 2FA are insufficient to recover the account.
This is not about phishing being a bug. The issue is the lack of a recovery mechanism that prioritizes verified phone number ownership over existing sessions.
I’ve filed a detailed report with Telegram: https://bugs.telegram.org/c/58477
Curious whether others have encountered similar recovery dead-ends, and how this compares to recovery models used by other messaging platforms.
Happened to me, exactly as described by OP.
- All new sessions are terminated within couple of minutes by hijacked one.
- You can't terminate the hijacked session with a new session. New sessions have to wait 24 hours to gain this authority (which of course never happens).
- Each time new session gets terminated, you can't login into Telegram for 24 hours.
- The only way to recover your ownership is to delete your account within 2 minute of getting new session working.
> The only way to recover your ownership is to delete your account...
Can you "undelete" an account? (I don't have Telegram)
Unfortunately, no.
The link is broken, but the OP is definitely posting AI slop, so I believe this could very likely be a hallucination.
Yeah, I have some bad news about that huge bug bounty you're expecting... ChatGPT was wrong, and there is no way to close the HackerNews account you just created, so all the abuse that deservedly comes your way will, in fact, be on your permanent record.
This is a known security issue in Telegram, the one they stubbornly refuse to fix.
Ah, yes, I see... Are the known security issues that Telegram stubbornly refuse to fix in the room with us right now?