Claims of a ‘high-risk’ vulnerability allegedly found in Telegram’s desktop application appear to have been dismissed after Telegram addressed the issue through its Twitter account on April 9, 2024.
The company countered claims made by blockchain security firm CertiK, which had issued warnings to the public regarding an alleged Telegram vulnerability in its desktop application.
According to earlier posts made by CertiK within the same day, the vulnerability potentially exposed users to malicious remote code execution (RCE) attacks through specifically crafted media files such as images or videos.
Telegram Vulnerability: Certik Warns Users
Certik issued an alert on X (@CertiKAlert), warning users about the alleged Telegram vulnerability. They also provided a set of instructions to disable automatic media downloads. A similar alert was shared on Certik’s official Telegram channel. (CertikCommunity)
Users were advised to disable the default auto-download feature by navigating to the ‘Settings’ menu, clicking on ‘Advanced’, and then disabling the option for all media files.
CertiK brands itself as ‘a pioneer in blockchain security that employs cutting-edge artificial intelligence (AI) to protect and monitor blockchain protocols.’
When contacted by a cryptocurrency news outlet, Certik mentioned that they became aware of the issue through the ‘security community’. Certik elaborated that the vulnerability did not impact mobile systems due to their reliance on program signatures and their distinct file execution mechanisms compared to desktops.
Telegram Could Not Confirm Vulnerability, Alleges Video as Likely Hoax
Telegram made a post on X claiming that it couldn’t confirm the existence of the vulnerability while stating that video-proof of the bug was likely a hoax.
While technical data and official confirmation regarding the alleged vulnerability remain unavailable, exploitation of the official Telegram desktop application is not unknown. Security experts have uncovered similar exploitation techniques in the past.
A bug (CVE-2023-26818) reported in 2023, present in the MacOS version of the Telegram desktop application potentially allowed attackers to access sensitive files, the camera, and the microphone.
Earlier in 2021, a security researcher discovered a Telegram vulnerability that allowed attackers to send modified animated stickers, which could be abused to expose victim data. CVEdetails, a vulnerability database lists at least 8 known vulnerabilities in the Telegram desktop application.
However, similar bugs are not exclusive to Telegram but have been observed with crafted images delivered over popular instant messaging apps and tend to abuse functionality or allow attackers various forms of control.
These have been followed by both official confirmations as well as refutals, as seen in the case of a vulnerability widely reported in Signal Messenger where users were advised to turn off link previews.
The claim was then debunked by Signal on 16th October 2023, after the company checked with the U.S. government in an official investigation.
Telegram runs an active bug-bounty program with rewards ranging from $100 to $100,000 which has been in operation since 2014. In response to the alleged vulnerability, Telegram encouraged users to report potential vulnerabilities to its bug bounty program and obtain rewards.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
