About passkey support:
While this has already been discussed in the past few days, but obviously not all of you would read messages there.
Please note that passkey doesn't work for all password managers, according to Nagram dudes, known working ones are Bitwarden and KeePassDX.
And just to expand on the “less secure” part from yesterday: the official Telegram setup uses the Play Services passkey flow, which checks both the package name and the APK signature before letting the app request a passkey. That’s means only the Telegram APK signed with official signature can ask for the credential.
Our setup doesn’t get that. We have to act like a browser, which means no package/signature verification at all. So any shady app on your phone that can call the same WebAuthn-looking flow could pop a passkey prompt. If you approve it because it looks legit, your account’s toast.
So, again, always look out on where you grab your APKs, only download Momogram from here, the discussion group(if it's from me) or GitHub releases
=====
關於 Passkey 支援:
先講清楚: Passkey 並不是所有密碼管理器都能用.
根據 Nagram 那邊的資訊, 目前已知能正常運作的只有 Bitwarden 跟 KeePassDX
再補充一下關於昨天提到的「安全性較低」: 官方 Telegram 用的 passkey 流程, 會同時檢查 package name 和 APK 簽名, 也就是只有官方簽名的 Telegram APK 才能發起 passkey 請求
我們這邊沒有那層保護, 只能走瀏覽器那套流程, 完全不會做任何包名或簽名驗證。
這代表如果你在手機安裝可疑 App, 它能用相同方式叫出 passkey prompt, 若你又不小心按了允許, 帳號基本上就直接被端走了.
再次提醒: 一定要從官方來源下載 APK, 只從這裡、討論群(如果是我發的)、或 GitHub Releases 下載 Momogram
While this has already been discussed in the past few days, but obviously not all of you would read messages there.
Please note that passkey doesn't work for all password managers, according to Nagram dudes, known working ones are Bitwarden and KeePassDX.
And just to expand on the “less secure” part from yesterday: the official Telegram setup uses the Play Services passkey flow, which checks both the package name and the APK signature before letting the app request a passkey. That’s means only the Telegram APK signed with official signature can ask for the credential.
Our setup doesn’t get that. We have to act like a browser, which means no package/signature verification at all. So any shady app on your phone that can call the same WebAuthn-looking flow could pop a passkey prompt. If you approve it because it looks legit, your account’s toast.
So, again, always look out on where you grab your APKs, only download Momogram from here, the discussion group(if it's from me) or GitHub releases
=====
關於 Passkey 支援:
先講清楚: Passkey 並不是所有密碼管理器都能用.
根據 Nagram 那邊的資訊, 目前已知能正常運作的只有 Bitwarden 跟 KeePassDX
再補充一下關於昨天提到的「安全性較低」: 官方 Telegram 用的 passkey 流程, 會同時檢查 package name 和 APK 簽名, 也就是只有官方簽名的 Telegram APK 才能發起 passkey 請求
我們這邊沒有那層保護, 只能走瀏覽器那套流程, 完全不會做任何包名或簽名驗證。
這代表如果你在手機安裝可疑 App, 它能用相同方式叫出 passkey prompt, 若你又不小心按了允許, 帳號基本上就直接被端走了.
再次提醒: 一定要從官方來源下載 APK, 只從這裡、討論群(如果是我發的)、或 GitHub Releases 下載 Momogram
❤50✍6👍4❤🔥2👌2☃1
Momogram
Toggle to remove chat bottom UI padding (Use with unrounded UI for classic-like experience)
Here's how it looks and Merry Christmas eve ig
❤36👍9👌3🐳2🍾2🥴1🌭1💔1