Some time ago, our subscribers noticed that when they navigate to web.telegram.org from the mobile or desktop Telegram application, the web application does not prompt the user to log in but instead immediately displays the content of their account. The @tginfo editorial team explains the details of the Telegram automatic authorization mechanism.
What is happening?
When users go from the messenger to certain Telegram web resources, they don’t need to log in with their account on those sites. The application adds a special token to the link, allowing the resource to automatically grant access to the user without requesting their phone number or cloud password. It is important to note that this feature has been present in all Telegram applications for quite some time: it is supported by at least the last few versions of the applications on Android, iOS, MS Windows, and macOS.
On which resources does this work?
- web.telegram.org: Telegram web application
- web.t.me: currently leads to the main page of the official site telegram.org
- a.t.me: leads to telegram.org
- k.t.me: leads to telegram.org
- z.t.me: leads to telegram.org
- instantview.telegram.org: platform for working with Instant View templates
- translations.telegram.org: platform for translating the application into different languages
- contest.com: platform for contests among third-party developers and designers
- contest.dev: leads to contest.com
- bugs.telegram.org: platform for publishing and viewing user bug reports
- suggestions.telegram.org: platform for publishing and viewing user suggestions
- themes.telegram.org: platform for developing application themes
- promote.telegram.org: advertising platform
Risks
While inconspicuous authorization is convenient for most users, it poses some risks.
A new active session is created during authorization in the web application. The user receives a message from the Telegram service account about this, but forgetting about such an automatically created session is easier than when the user consciously authorizes in the web application. By closing the browser tab, the user may forget that they are still logged in.
Authorization on the web resource occurs with the accounts from which the user follows the link. If the user was previously authorized on the web resource with one account and then follows the link from another account, they end up being authorized with the second account, not the first. On some resources, this can be difficult to notice.
These two risks are exacerbated by the fact that neither the application nor the web resource not only fail to prompt the user to enter their authorization data but also do not warn the user that authorization is taking place at all.
What can be improved?
The above-mentioned risks could be minimized if, instead of inconspicuous authorization, the applications offered the user the option to confirm their intention to log in with the account from which they followed the link or to cancel this action. Unfortunately, at the moment, neither the applications nor the resources do this.
The Telegram Info editorial team suggests that the Telegram administration change the behavior of the applications and, instead of inconspicuous authorization, give the user the option to decline it: https://bugs.telegram.org/c/34337.