search

morethanwords / tweb

Telegram Web K, GPL v3
https://web.telegram.org/k/
GNU General Public License v3.0
1.86k stars 595 forks source link

[BUG] The login code text is not safe. #328

Open eccstartup opened 5 months ago

eccstartup commented 5 months ago

Describe the bug For web k version of telegram, the login code is seemed to be encrypted in some way but is not the case. If you read carefully the source code, you will see the numbers are shown as characters with ascii code order index of a braille-like string, which is not safe.

For numbers, we have:

{0: '⠦', 1: '⠩', 2: '⠪', 3: '⠬', 4: '⠱', 5: '⠲', 6: '⠴', 7: '⠸', 8: '⡃', 9: '⡅'}

To Reproduce Steps to reproduce the behavior:

  1. Open web k version and login.
  2. Login another device.
  3. See side bar of web k version and see encrypted code.
  4. Decrypt it youself.

Expected behavior Login code should be trully encrypted.

Screenshots

image

Yes, it is 19999.

Desktop (please complete the following information):

Additional context N/A.