首页 - Security - Main Content

Telegram Patches Critical Flaw After Over a Month of Exposure

In April, there were reports of a high-risk security vulnerability within the desktop version of the instant messaging app Telegram. Attackers could infect users by sending specially crafted media files that did not require any interaction from the user, exploiting Telegram's default setting of automatically downloading media files.

Today, researchers from the well-known security software developer ESET disclosed another high-risk security vulnerability in Telegram. This vulnerability had been discovered and exploited by hackers since at least June 6, and it wasn't until July 11 that Telegram patched it in version v10.14.5.

Telegram's Zero-Day Vulnerability:

Initially, ESET researchers found a hacker named Ancryno on a Russian XSS hacker forum selling this vulnerability. After conducting a proof of concept (PoC), ESET confirmed the vulnerability was genuine and only applicable to the Telegram for Android version.

Hackers could create a specially crafted APK file and send it to Telegram users. This file would appear as an embedded video, and if Telegram's setting to automatically download media files was enabled, it would be downloaded automatically.

When users tried to play the video, the Android system would prompt them with an "open" button, which, when clicked, would install the malicious APK file. However, this required the precondition that users had already enabled the installation of apps from unknown sources in their settings; otherwise, the system would alert users that they were attempting to open an APK file.

The Vulnerability Exposed for At Least Five Weeks:

Although ESET researchers disclosed this vulnerability to Telegram on June 26, the patching took a considerable amount of time. Telegram responded to ESET on July 4, saying they were investigating, and it wasn't until July 11 that a new version was released with the fix.

From June 6, when the hacker first posted, to July 11, the vulnerability was exploitable for over a month. Telegram did not disclose whether hackers actively exploited this vulnerability for attacks.

The vulnerability fundamentally resembles that found in the Telegram desktop version, both exploiting flaws in the Telegram API to disguise specially crafted files as media, enabling automatic downloading within Telegram.

We continue to advise Telegram users to disable the automatic media file download feature to prevent attackers from exploiting similar vulnerabilities for targeted attacks.

0day(4)ESET(3)Telegram(14)XSS(1)

Copyright Notice:
Thank you for reading. This article was written by Landian News, and the author is Brook.X. If you wish to repost this article, please include a link to the original: https://landian.news/article/2753.html

{{userData.name}}

Telegram Patches Critical Flaw After Over a Month of Exposure

EU Regulators Investigating Telegram for Possible Violation, Suspecting Inaccurate Reporting of User Data to Evade DSA Legislation

Critical Security Flaws Detected in WPS Office, Immediate Upgrade Recommended

After the Arrest of Its Founder, Telegram Claims Compliance with EU Laws, Asserting Platforms and Owners Should Not Be Held Accountable for Misuse

Z-Library's Content Partially Removed from Telegram Due to Copyright Issues

Apple Rushes iOS 16.4.1 Update to Fix Two Critical Zero-Day Vulnerabilities: Users Urged to Update Immediately

Google Releases Security Patches to Fix Two Zero-Day Vulnerabilities in Android System Possibly Exploited by Spyware

Telegram Founder Pavel Durov Formally Charged in France, Banned from Leaving the Country During Trial

Telegram Introduces Paid Posts for Subscription Channels, Viewing Content Requires Payment in Stars

Google Updates Chrome Blog, Reveals Another High-Risk Vulnerability Exploited by Hackers, Now Fixed

Brazil Orders Telecom Providers to Block Telegram Again Over Uncooperative Behavior in Neo-Nazi Investigation

AdGuard Releases v7.19: Fixes Blue Screen Issues on Windows 10/11 and Introduces Dark Mode for Any Website

Mozilla Firefox v132.0 Official Release: New DRM Brings 4K Streaming to Netflix and More

Thunderbird for Android officially released: open source, free, ad-free, and does not collect user privacy

[Download] LocalSend v1.16.0 Released: An Open-Source, Cross-Platform File Sharing Application Optimized for Faster Transfers

VMware Workstation Pro 17.6.1 Release: Fixes for Critical Image Recognition Bug

Arc Browser Halts Development: What's Next for The Browser Company?

Microsoft Confirms Error in Windows 11 24H2 SFC Command, Fixes with KB5044384 Update

[Beta Version] Rufus v4.6 Now Supports Bypassing Windows 11 Restrictions Locally Without Needing to Reinstall the System

Microsoft Confirms Black Screen and Freeze Issues with Older GPUs like GTX970 on Windows 11 Canary Build

[Guide] Installing Microsoft Store on Windows 11 LTSC 2024 for Accessing Various Apps

X/Twitter Adjusts Ad Revenue Sharing Policy: Now Requires at Least 500 X Premium Subscribed Followers