If an attacker obtains an active Telegram Web/Desktop session (e.g. via social engineering), the legitimate phone number owner may be unable to reclaim the account even after regaining access and enabling two-step verification (2FA).
The core problem is that critical security actions (session termination, account deletion, confirmation of changes) are confirmed inside Telegram itself, not via an out-of-band channel such as SMS.
As a result: - the attacker’s older active session remains authoritative - the legitimate user’s new sessions can be immediately terminated - enabling 2FA does not invalidate existing sessions - even account deletion may be impossible if confirmation codes are delivered only to the attacker-controlled session
This creates a permanent lockout scenario where: phone number ownership + in-Telegram verification + newly enabled 2FA are insufficient to recover the account.
This is not about phishing being a bug. The issue is the lack of a recovery mechanism that prioritizes verified phone number ownership over existing sessions.
I’ve filed a detailed report with Telegram: https://bugs.telegram.org/c/58477
Curious whether others have encountered similar recovery dead-ends, and how this compares to recovery models used by other messaging platforms.
- All new sessions are terminated within couple of minutes by hijacked one.
- You can't terminate the hijacked session with a new session. New sessions have to wait 24 hours to gain this authority (which of course never happens).
- Each time new session gets terminated, you can't login into Telegram for 24 hours.
- The only way to recover your ownership is to delete your account within 2 minute of getting new session working.
Can you "undelete" an account? (I don't have Telegram)