Cyber-security researchers on Monday disclosed details of a now-patched flaw in the Telegram messaging app that could have exposed users’ secret messages, photos, and videos to remote malicious actors.
The issues were discovered by Italy-based Shielder in iOS, Android, and macOS versions of the app. Following responsible disclosure, Telegram addressed them in a series of patches on September 30 and October 2, 2020.
The flaws stemmed from the way secret chat functionality operates and in the app’s handling of animated stickers, thus allowing attackers to send malformed stickers to unsuspecting users and gain access to messages, photos, and videos that were exchanged with their Telegram contacts through both classic and secret chats.
One caveat of note is that exploiting the flaws in the wild may not have been trivial, as it requires chaining the aforementioned weaknesses to at least one additional vulnerability in order to get around security defenses in modern devices today. That might sound prohibitive, but, on the contrary, they are well in the reach of both cyber-crime gangs and nation-state groups alike.
Shielder said it chose to wait for at least 90 days before publicly revealing the bugs so as to give users ample time to update their devices.
images from Hacker News