Operational Telegram — Medium

Telegram links an account to a telephone number. The messenger verifies that the phone number is accessible to the user when they register their account (via an authentication code sent over SMS, or via a call.) For an attacker with access to the telco systems (e.g. SS7 injection, or a national telephone operator) hijacking the verification code for the account is straightforward. Simply redirect the SMS/calls to the number to a location that is under attack control/visibility.